π Microsoft Entra ID Custom Banned Password List is not enforced π’
- Contextual name: π Custom Banned Password List is not enforced π’
- ID:
/ce/ca/azure/microsoft-entra-id/custom-banned-password-list - Located in: π Microsoft Entra ID
Flagsβ
- π’ Impossible policy
- π’ Policy with categories
- π’ Policy with type
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
SECURITY
Descriptionβ
Descriptionβ
Microsoft Azure applies a default global banned password list to all user and admin accounts that are created and managed directly in Microsoft Entra ID. The Microsoft Entra password policy does not apply to user accounts that are synchronized from an on-premises Active Directory environment, unless Microsoft Entra ID Connect is used and
EnforceCloudPasswordPolicyForPasswordSyncedUsersis enabled. Review theDefault Valuesection for more detail on the password policy. For increased password security, a custom banned password list is recommendedRationaleβ
Enabling this gives your organization further customization on what secure passwords are allowed. Setting a bad password list enables your organization to fine-tune its password policy further, depending on your needs. Removing easy-to-guess passwords increases the security of access to your Azure resources.
Impactβ
Increasing needed password complexity might increase overhead on administration of user accounts. Licensing requirement for Global Banned Password List and Custom Banned Password list requires Microsoft Entra ID P1 or P2. On-premises Active Directory Domain Services users that are not synchronized to Microsoft Entra ID also benefit from Microsoft Entra ID Password Protection based on existing licensing for synchronized users.
... see more
Remediationβ
Remediationβ
From Azure Portalβ
- From Azure Home select the Portal Menu.
- Select
Microsoft Entra ID.- Under
Manage, selectSecurity.- Under
Manage, selectAuthentication Methods.- Under
Manage, selectPassword Protection.- Set the
Enforce custom listoption toYes.- Click in the
Custom banned password listtext box.- Add a list of words, one per line, to prevent users from using in passwords.
- Click
Save.
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ CIS Azure v2.1.0 β πΌ 1.6 Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization - Level 1 (Manual) | 1 | |||
| πΌ CIS Azure v3.0.0 β πΌ 2.8 Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization (Manual) | 1 | |||
| πΌ CIS Azure v4.0.0 β πΌ 6.8 Ensure that a 'Custom banned password list' is set to 'Enforce' (Manual) | 1 | |||
| πΌ Cloudaware Framework β πΌ Credential Lifecycle Management | 18 |