Introduction
Today’s blog will be regarding one of the features within Azure AD called Azure AD Password Protection. In practice, you see that this is a feature that is not configured by many organizations yet, I would say it is underexposed.
Password Protection improves the security for organizations when using the Azure AD identity or Hybrid Azure AD identity with a password. Most people are not familiar with the working of Password Protection. I hope that after reading this blog, you will have an idea of the power is of this feature.
With Azure AD Password Protection you protect your organization from configuring a simple password and it will prevent users from using passwords that are on the global or custom banned password list.
Today, with most people working from home because of the COVID-19 virus, you would like to have your users secure their identity when accessing company data. One of the requirements for users is changing their passwords. Most users are creating simple passwords because they already have to remember their other 10 passwords. With Password Protection, you force a user to use the company policy.
Note: Please keep in mind that using Azure MFA reduces the risk of getting hacked with 99,9 percent If you don’t have this configured yet, please consider configuring this to secure the identity of the company users by adding a second-factor authentication.
Configuration
Azure AD password protection has some pre-configured settings that can be changed, I will describe each feature:
1. Lockout threshold: How many failed sign-ins are allowed on an account before its first lockout. If the first sign-in after a lockout also fails, the account locks out again.
2. Lockout duration in seconds: The minimum length in seconds of each lockout. If an account locks repeatedly, this duration increases.
3. Enforce custom list: When enabled, the words in the list that you configure are used in the banned password system to prevent easy-to-guess passwords.
4. Enable password protection on Windows Server Active Directory: If set to Yes, password protection is turned on for Active Directory domain controllers when the appropriate agent is installed. More information regarding this can be found here
5. Mode: If set to Enforce, users will be prevented from setting banned passwords and the attempt will be logged. If set to Audit, the attempt will only be logged.
Note: Keep in mind that password protection only works on newly created passwords. It won’t check all the earlier configured passwords.
Custom banned password list
One of the features of Azure AD Password protection is the custom banned password list. With this feature, you can configure your own list with passwords that not can be used within the organization and should be banned. Keep in mind that this requires an AAD P1 or AAD P2 license.
Microsoft recommends that terms added to this list are primarily focused on organizational-specific terms such as:
- Brand names
- Product names
- Locations (for example, such as company headquarters)
- Company-specific internal terms
- Abbreviations that have specific company meaning
Once terms are added to the custom banned password list, they will be combined with the terms in the global banned password list when validating passwords.

Microsoft global banned password list
Apart from the custom banned password list, Microsoft has also a non-public banned password list. This banned password list is maintained by the Azure AD Identity Protection team. They are constantly analyzing Azure AD security telemetry data looking for commonly used weak or compromised passwords. The contents of the global banned password list are not based on any external data source.
Side Note: Microsoft also buys password dumps from the black market that are being used for hacks.
Microsoft password scoring method
In practice, Microsoft doesn’t block any passwords that are matched with the Global Banned Password list or Custom Banned Password list. If you configure a password with a banned word included, Microsoft will then start a formula on whether or not a new password will be accepted. Before the password will be accepted, Microsoft requires a password to score 5 points. When using a banned password word, it will score the password one point.
Step 1: Normalization
First, all uppercase letters are converted to lower case. Microsoft states that common character substitutions are also reversed; but that’s not always the case, some common substitutions like € -> e and 8 -> b are ignored.
Step 2: Fuzzy match check
The password entry is checked against the banned password lists for exact matches and 1 character difference.
Step 3: Substring match check
The password entry is also checked against the user’s first name, last name, and tenant name. (Note that tenant name matching is not done when validating passwords on an Active Directory domain controller)
Step 4: Final scoring
If the password entry makes it past the previous checks, it will then create a score based on:
- Each banned password that is found in a user’s password is given one point.
- Each remaining unique character is given one point.
- A password must be at least five (5) points for it to be accepted.
An example scoring:
Micr0soft1! [microsoft] + [1] + [!] = 3 → Rejected
Micr0soft124! [microsoft] + [1] + [2] + [4] + [!] = 5 → Accepted
License requirements
Azure AD password protection with global banned password list | Azure AD password protection with custom banned password list | |
---|---|---|
Cloud-only users | Azure AD Free | Azure AD Premium P1 or P2 |
Users synchronized from on-premises Windows Server Active Directory | Azure AD Premium P1 or P2 | Azure AD Premium P1 or P2 |
Check this Microsoft article on how to start with configuring this feature.
References:
Enable on-premises Azure Active Directory Password Protection:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-operations
Monitor and review logs for on-premises Azure AD Password Protection environments:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-monitor
Azure AD Password Protection agent version history:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-agent-versions
Hey, when it is audited/logged. Where can we see this?
You should be able to see this back in the audit logs. See this Microsoft docs page for more information:
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-monitor