Description

Microsoft Azure applies a default global banned password list to all user and admin accounts that are created and managed directly in Microsoft Entra ID. The Microsoft Entra password policy does not apply to user accounts that are synchronized from an on-premises Active Directory environment, unless Microsoft Entra ID Connect is used and EnforceCloudPasswordPolicyForPasswordSyncedUsers is enabled. Review the Default Value section for more detail on the password policy. For increased password security, a custom banned password list is recommended

Rationale

Enabling this gives your organization further customization on what secure passwords are allowed. Setting a bad password list enables your organization to fine-tune its password policy further, depending on your needs. Removing easy-to-guess passwords increases the security of access to your Azure resources.

Impact

Increasing needed password complexity might increase overhead on administration of user accounts. Licensing requirement for Global Banned Password List and Custom Banned Password list requires Microsoft Entra ID P1 or P2. On-premises Active Directory Domain Services users that are not synchronized to Microsoft Entra ID also benefit from Microsoft Entra ID Password Protection based on existing licensing for synchronized users.

Audit

From Azure Portal

From Azure Home select the Portal Menu.
Select Microsoft Entra ID.
Under Manage, select Security.
Under Manage, select Authentication Methods.
Under Manage, select Password Protection.
Ensure Enforce custom list is set to Yes.
Scroll through the list to view the enforced passwords.

Default Value

By default the custom bad password list is not Enabled. Organizational-specific terms can be added to the custom banned password list, such as the following examples:

Brand names
Product names
Locations, such as company headquarters
Company-specific internal terms
Abbreviations that have specific company meaning
Months and weekdays with your company's local languages

The default Azure bad password policy is already applied to your resources which applies the following basic requirements:

Characters allowed

Uppercase characters (A - Z)
Lowercase characters (a - z)
Numbers (0 - 9)
Symbols:
@ # $ % ^ & * - _ ! + = [ ] { } | \ : ' , . ? / ` ~ " ( ) ; < >
blank space

Characters not allowed

Unicode characters

Password length

Passwords require:

A minimum of eight characters
A maximum of 256 characters

Password complexity

Passwords require three out of four of the following categories:

Uppercase characters
Lowercase characters
Numbers
Symbols

Note: Password complexity check isn't required for Education tenants.

Password not recently used

When a user changes or resets their password, the new password can't be the same as the current or recently used passwords.
Password isn't banned by Entra ID Password Protection.
The password can't be on the global list of banned passwords for Azure AD Password Protection, or on the customizable list of banned passwords specific to your organization.

Evaluation

New passwords are evaluated for strength and complexity by validating against the combined list of terms from the global and custom banned password lists. Even if a user's password contains a banned password, the password may be accepted if the overall password is otherwise strong enough.

Rationale​

Impact​

Audit​

From Azure Portal​

Default Value​

Characters allowed​

Characters not allowed​

Password length​

Password complexity​

Password not recently used​

Evaluation​

References​