Azure AD password protection is a feature that enhances password policies in an organization for both on-premises and cloud environments. An on-premises deployment of password protection uses both the global and custom banned-password lists that are stored in Azure AD. It does the same checks on-premises as Azure AD does for cloud-based changes. These checks are performed during password changes and password reset scenarios.
Azure AD Password Protection has no additional infrastructure requirements for a cloud-only deployment. For on-premises integration, it requires an Azure AD Password Protection Proxy service to be installed on a Windows Server 2012 R2 or later. This service can be collocated on an existing server, including Azure AD Connect. In addition, all domain controllers that require monitoring require an agent to be installed. A reboot of each DC should be anticipated during installation. The following shows the overall architecture and flow:
Azure AD Password Protection configuration is completely within the Azure AD Tenant. Azure AD Premium P1 or P2 licenses are required for on-premises integration (additional deployment steps required). On-premises Windows Server Active Directory users that are not synchronized to Azure Active Directory also benefits from Azure AD password protection based on existing licensing for synchronized users. The following shows the settings and what each option is for.
Whenever a user changes or resets their password, the new password is run through a Microsoft algorithm and process to check if the new password is strong enough. This is based on a scoring system and a combined list of terms from the global and custom banned password lists. There are several items that are checked against when evaluating a new password and then a score is provided including:
- Global banned password list
- Custom banned password list
- Fuzzy/Substring matching
Global banned password list
Microsoft controls and maintains a non-public list of banned passwords. When new terms are found and identified, they are added to the global banned password list. This list is not generated by any external data source, but by all the organizations that are connected to Microsoft’s services. They are constantly analyzing telemetry data from all organizations connected to their services looking for commonly used passwords that are weak or compromised.
Whenever a new password is changed or reset for any user in any tenant in Azure AD, the current version of the global banned password list is used as the key input when validating the strength of the password. This validation results in much stronger passwords for all Azure AD customers.
Custom banned password list
In addition to the Microsoft managed Global banned password list, organizations can add their own words to what Microsoft calls the custom banned password list. This allows organizations to add their own unique words, phrases, and/or nicknames to increase security and prevent known password combinations due to public knowledge of the organization. Microsoft recommends that terms added to this list are primarily focused on organizational-specific terms such as:
- Brand names
- Product names
- Locations (for example, such as company headquarters)
- Company-specific internal terms
- Abbreviations that have specific company meaning, such as ETC
Once words are added to the custom banned password list, they will be combined with the words in the global banned password list when validating passwords. The custom banned password list has the following restrictions:
- The custom banned password list can contain up to 1000 terms.
- The custom banned password list is case-insensitive. All words are normalized to lowercase.
- The custom banned password list considers common character substitution. You do not need to add multiple variants of a word. A normalization process will occur.
- Example: "o" and "0" or "a" and "@"
- The minimum string length is 4 characters and the maximum is 16 characters.
Normalization performs two tasks to the proposed new password. First, all uppercase letters are changed to lower case. Second, commonly used character substitutions (typically used to meet complexity requirements) are performed, for example:
The next step is to identify all instances of banned passwords in the user's normalized new password. Even if a user’s password contains a banned password, the password may still be accepted if the overall password is strong enough otherwise (i.e. if “password” is set five times in a row it will be accepted). A newly configured password will go through the following steps to assess its overall strength to determine if it should be accepted or rejected.
- Each banned password that is found is given one point.
- Each remaining unique character is given one point.
- A password must be at least five (5) points for it to be accepted.
- 3N@b1iNgP@$$w0rd1 would convert to [enabling] + [password] +. This would only score 3 points and be rejected
- enablingisthe#1 would convert to [enabling] + [is] +[the] + [#] + . This would score 5 points and be accepted.
When a user attempts to reset a password to something that would be banned, they see one of the following error messages:
- Unfortunately, your password contains a word, phrase, or pattern that makes your password easily guessable. Please try again with a different password.
- Unfortunately, you can't use that password because it contains words or characters that have been blocked by your administrator. Please try again with a different password.
Passwords will still be around for most of this new decade. Even with password-less options available today, most organizations are not readily prepared yet. Having a good password policy is important, but users can still abuse any legacy on-premises policy with tactics such as adding a 1 or altering a single character. If the original password is leaked, the new password is just as vulnerable. Azure AD Password Protection can extend modern techniques to help better protect your organization by using Microsoft’s algorithm and variant techniques. Azure AD Password Protection is just one layer of protection. Multiple layers of protection should be enabled, such as Azure MFA, to ensure a secure and productive environment. Enabling Technologies can help you properly prepare for moving to the cloud based on Microsoft Best Practices and utilizing a secure and productive environment. You can check out more in the Security section of our website.