Let’s face it, we use personal identification numbers (PINs), passwords, and passphrases for everyday life: grabbing some cash at the ATM, online shopping, and of course, logging into the domain at work. As frustrating as it can be to maintain all of these passwords, we understand that they exist so that we can protect ourselves personally and our organization at work. As IT professionals – we know the harsh reality is that end-users are selecting weak passwords.
How can you ensure that your end-users select strong passwords? From creating longer and more complex passwords to changing them on a regular basis and storing them securely, an Excel spreadsheet is not going to cut it. And there had better not be a sticky note under their keyboard...
Many organizations have implemented security & awareness programs to educate end users to not use the same password in multiple places or use a word straight out of the dictionary. While many IT administrators enforce length and complexity, in many cases, 'P@ssw0rd' would pass those requirements and is easily compromised by a password spray attack. Password spraying is an attack method where a malicious actor attempts to access a large number of accounts (usernames) with commonly used passwords like P@ssw0rd.
There must be a way to ensure that the user selects a strong password.
Azure Active Directory Password Protection is available for both cloud and hybrid environments and prevents users from selecting weak passwords.
Azure AD Password Protection detects and blocks weak passwords by utilizing Microsoft’s global banned password list. The list is based on an analysis of the billions of passwords that are used for logging in to Microsoft services and the resulting telemetry data of common/weak passwords. Additionally, admins can add customized words to the banned list for your organization. These custom lists often contain common items such as:
- Company name, Company Acronym, Branding, or Product names
- Company addresses, locations
- Local sports teams or local jargon
The custom list is combined with the global banned list, and when a user selects a password, it is validated against these lists, enforcing a stronger password selection.
Azure AD Password Protection is a supplement to your existing on-premises Active Directory Domain Services (AD DS) password policies, not a replacement. It's important to note that despite the fact that Microsoft branded this with “Azure,” you can implement these features and integrate them with your on-premises environment. Users won’t feel the enforcement of the new policy until their password change cycle. With user education and a password manager, end users will be on their way to creating strong passwords that would make any IT professional proud. To set up, the proxy service and agents are installed within the on-premises environment with an agent on each Domain Controller (DC).
Azure AD Password Protection with a custom banned password list for cloud and on-premises synchronization from AD DS requires Azure AD Premium P1 or P2. Cloud-only environments can use the Azure AD Password Protection with a global banned password list with no customization for free.
If your organization already owns Azure AD Premium P1 or P2 to support your MFA implementation or as part of your M365 bundle, we encourage you to maximize your licensing investment by implementing Azure AD Password Protection.
Need help? Reach out to one of our experts!