The correct place to set the requirement for rotating passwords every 90 days is in the Master Policy. Master Policies are designed to enforce organization-wide security policies, including password rotation schedules. Configuring it in the Master Policy ensures that all relevant systems and users adhere to this rule, maintaining a unified and consistent security posture.