1 Azure AD Password Protection now available to all Azure AD customers – Win10.Guru
Go to ...

RSS Feed

Azure AD Password Protection now available to all Azure AD customers


If you’ve ever tried to set up a Microsoft account (MSA) or change an MSA or Office 365 / Azure AD (AAD) account password, you may have seen this:

This is because of Azure AD Password Protection, a list of banned and common passwords. The list uses the  Microsoft Graph API (GraphAPI) and currently contains almost 600 of the most common passwords and over one million variations upon them (character substitutions like for instance € for E or 7 for T). It’s no use trying to change the current password to something like Password1, Pa$$WoRd1, 12345678 or suchlike. Azure AD Password Protection does not accept them either, and prompts users to choose another password instead.

Azure Password Protection and  Azure Smart Lockout are now available to all Azure AD customers. Smart Lockout defines how many failed login attempts are allowed before lockout occurs, and how long the lockout lasts.

Azure AD Password Protection

Azure Password Protection is available to and can be enforced by any Azure AD connected domain using the default list of most common passwords. Azure AD Premium subscribers can also add custom banned passwords to the list, and add Azure Password Protection to on-premises AD servers by downloading and installing the necessary add-ons (https://www.microsoft.com/en-us/download/details.aspx?id=57071).

To change defaults, simply sign into the Azure AD admin panel and select Azure Active Directory > Authentication methods:

Azure AD Password Protection. Click to view enlarged in a new tab.

AAD Premium subscribers should supplement the banned password list with at least their company’s name, trademarks, locations and such to take care of the most abused passwords. If your organization is Contoso Inc. in Liverpool UK, you might want to add Contoso, Contoso1, Liverpool, Liverpool123 and so on to the list, just to give a few examples. Anything you add to you list will also be added to Microsoft’s default list.

Azure Smart Lockout

Azure Smart Lockout determines how many failed login attempts will lock the user out and for how long. By default the values are a 60 second lockout after 10 failed attempts. Each subsequent failed attempt  increases the lockout period. Both values are reset to their defaults after a successful login. The idea is that unauthorized users will be kept out guessing password variations while legitimate user can still sign in. As an Azure AD admin you can check the logs from Azure Active Directory > Activity > Sign-ins to see if the lockout was caused by accidental wrong password or an unauthorized attempt by checking the location and IP address:

Azure admin can easily see if the login attempt was valid or unauthorized. Click to view enlarged in a new tab.

Microsoft Graph API

In case you are familiar with GraphAPI, you can always check and modify Azure Password Protection settings in the Microsoft Graph Explorer (https://developer.microsoft.com/en-us/graph/graph-explorer). Select version as beta, enter URL as https://graph.microsoft.com/beta/DOMAIN/settings/ replacing DOMAIN with any of your organization’s domains connected to tenant in question, and click Run Query:

GraphAPI Query. Click to view enlarged in a new tab.

In my example case now, the query would show our Password Protection settings like this:

{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#settings",
"value": [
{
"id": "a2321d3b-34b5-4e0e-9c1b-de8b49e43bbb",
"displayName": "Password Rule Settings",
"templateId": "5cf42378-d67d-4f36-ba46-e8b86229381d",
"values": [
{
"name": "BannedPasswordCheckOnPremisesMode",
"value": "Enforce"
},
{
"name": "EnableBannedPasswordCheckOnPremises",
"value": "True"
},
{
"name": "EnableBannedPasswordCheck",
"value": "True"
},
{
"name": "LockoutDurationInSeconds",
"value": "120"
},
{
"name": "LockoutThreshold",
"value": "5"
},
{
"name": "BannedPasswordList",
"value": "win10guru"
}
]
}
]
}

 

Notice please that Azure Password Protection is tenant-wide; you cannot have different settings per domain on same tenant. All settings for domain Contoso1 will be automatically applied to Contoso2 domain if it is on same tenant than Contoso1.

All in all, your users will be quite well protected when you enforce two-factor authentication and Azure Password Protection. I sincerely recommend both.

Kari

Author: Kari Finn

A Windows Insider MVP, Kari started in computing in the mid 80’s writing code for VAX / VMS systems. Since then, he’s worked in a variety of IT positions. He specializes in Windows image capture, customization, repair and deployment as well as Hyper-V virtualization. Kari is a proud Team Member at number #1 Windows site TenForums.com.

Leave a Reply