🛡️ Microsoft Entra ID Custom Banned Password List is not enforced🟢⚪

• Contextual name: 🛡️ Custom Banned Password List is not enforced🟢⚪
• ID: /ce/ca/azure/microsoft-entra-id/custom-banned-password-list
• Tags:
  • ⚪ Impossible policy
  • 🟢 Policy with categories
  • 🟢 Policy with type
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Description

Open File

Description

Microsoft Azure applies a default global banned password list to all user and admin accounts that are created and managed directly in Microsoft Entra ID. The Microsoft Entra password policy does not apply to user accounts that are synchronized from an on-premises Active Directory environment, unless Microsoft Entra ID Connect is used and EnforceCloudPasswordPolicyForPasswordSyncedUsers is enabled. Review the Default Value section for more detail on the password policy. For increased password security, a custom banned password list is recommended

Rationale

Enabling this gives your organization further customization on what secure passwords are allowed. Setting a bad password list enables your organization to fine-tune its password policy further, depending on your needs. Removing easy-to-guess passwords increases the security of access to your Azure resources.

Impact

Increasing needed password complexity might increase overhead on administration of user accounts. Licensing requirement for Global Banned Password List and Custom Banned Password list requires Microsoft Entra ID P1 or P2. On-premises Active Directory Domain Services users that are not synchronized to Microsoft Entra ID also benefit from Microsoft Entra ID Password Protection based on existing licensing for synchronized users.

... see more

Remediation

Open File

Remediation

From Azure Portal

1. From Azure Home select the Portal Menu.
2. Select Microsoft Entra ID.
3. Under Manage, select Security.
4. Under Manage, select Authentication Methods.
5. Under Manage, select Password Protection.
6. Set the Enforce custom list option to Yes.
7. Click in the Custom banned password list text box.
8. Add a list of words, one per line, to prevent users from using in passwords.
9. Click Save.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS Azure v2.1.0 → 💼 1.6 Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization - Level 1 (Manual)			1		no data
💼 CIS Azure v3.0.0 → 💼 2.8 Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization (Manual)			1		no data
💼 CIS Azure v4.0.0 → 💼 6.8 Ensure that a 'Custom banned password list' is set to 'Enforce' (Manual)			1		no data
💼 Cloudaware Framework → 💼 Credential Lifecycle Management			18		no data