Let’s face it, we use personal identification numbers (PINs), passwords, and passphrases for everyday life: grabbing some cash at the ATM, online shopping, and of course, logging into the domain at work. As frustrating as it can be to maintain all of these passwords, we understand that they exist so that we can protect ourselves personally and our organization at work. As IT professionals – we know the harsh reality is that end-users are selecting weak passwords.
The Challenge
How can you ensure that your end-users select strong passwords? From creating longer and more complex passwords to changing them on a regular basis and storing them securely, an Excel spreadsheet is not going to cut it. And there had better not be a sticky note under their keyboard...
The Basics
Many organizations have implemented security & awareness programs to educate end users to not use the same password in multiple places or use a word straight out of the dictionary. While many IT administrators enforce length and complexity, in many cases, 'P@ssw0rd' would pass those requirements and is easily compromised by a password spray attack. Password spraying is an attack method where a malicious actor attempts to access a large number of accounts (usernames) with commonly used passwords like P@ssw0rd.
There must be a way to ensure that the user selects a strong password.
The Solution
Entra ID (formerly Azure Active Directory) Password Protection is available for both cloud and hybrid environments and prevents users from selecting weak passwords.
Entra ID Password Protection detects and blocks weak passwords by utilizing Microsoft’s global banned password list. The list is based on an analysis of the billions of passwords that are used for logging in to Microsoft services and the resulting telemetry data of common/weak passwords. Additionally, admins can add customized words to the banned list for your organization. These custom lists often contain common items such as:
- Company name, Company Acronym, Branding, or Product names
- Company addresses, locations
- Local sports teams or local jargon
The custom list is combined with the global banned list, and when a user selects a password, it is validated against these lists, enforcing a stronger password selection.
Entra ID Password Protection is a supplement to your existing on-premises Entra ID Domain Services password policies, not a replacement. It's important to note that despite the fact that Microsoft branded this with “Azure,” you can implement these features and integrate them with your on-premises environment. Users won’t feel the enforcement of the new policy until their password change cycle. With user education and a password manager, end users will be on their way to creating strong passwords that would make any IT professional proud. To set up, the proxy service and agents are installed within the on-premises environment with an agent on each Domain Controller (DC).
License requirements
Entra ID Password Protection with a custom banned password list for cloud and on-premises synchronization from Domain Services requires Entra ID Premium P1 or P2. Cloud-only environments can use the Entra ID Password Protection with a global banned password list with no customization for free.
If your organization already owns Entra ID Premium P1 or P2 to support your MFA implementation or as part of your M365 bundle, we encourage you to maximize your licensing investment by implementing Entra ID Password Protection.
Need help? Reach out to one of our experts!
