π Microsoft Entra ID Custom Banned Password List is not enforced π’
- Contextual name: π Custom Banned Password List is not enforced π’
- ID:
/ce/ca/azure/microsoft-entra-id/custom-banned-password-list - Located in: π Microsoft Entra ID
Flagsβ
- π’ Impossible policy
- π’ Policy with categories
- π’ Policy with type
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
SECURITY
Descriptionβ
Descriptionβ
Microsoft Azure provides a Global Banned Password policy that applies to Azure administrative and normal user accounts. This is not applied to user accounts that are synced from an on-premise Active Directory unless Microsoft Entra ID Connect is used and you enable EnforceCloudPasswordPolicyForPasswordSyncedUsers. Please see the list in default values on the specifics of this policy. To further password security, it is recommended to further define a custom banned password policy.
Rationaleβ
Enabling this gives your organization further customization on what secure passwords are allowed. Setting a bad password list enables your organization to fine-tune its password policy further, depending on your needs. Removing easy-to-guess passwords increases the security of access to your Azure resources.
Impactβ
Increasing needed password complexity might increase overhead on administration of user accounts. Licensing requirement for Global Banned Password List and Custom Banned Password list requires Microsoft Entra ID P1 or P2. On-premises Active Directory Domain Services users that are not synchronized to Microsoft Entra ID also benefit from Microsoft Entra ID Password Protection based on existing licensing for synchronized users.
... see more
Remediationβ
Remediationβ
From Azure Portalβ
- From Azure Home select the Portal Menu.
- Select
Microsoft Entra ID.- Under
Manage, selectSecurity.- Under
Manage, selectAuthentication Methods.- Under
Manage, selectPassword Protection.- Set the
Enforce custom listoption toYes.- Click in the
Custom banned password listtext box to add a string.- Click
Save.
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ CIS Azure v2.1.0 β πΌ 1.6 Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization - Level 1 (Manual) | 1 | |||
| πΌ CIS Azure v3.0.0 β πΌ 2.8 Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization (Manual) | 1 | |||
| πΌ Cloudaware Framework β πΌ Credential Lifecycle Management | 17 |