#AzureAD Password Protection and Smart Lockout are now in Public Preview

June 21, 2018 Chris Spanougakis No comments exist

One more cool feature related to Azure Active Directory, especially for those of you that care about security. Remember that the GDPR mandates for a strict security baseline, in order to protect personal data.

So this new feature that was announced in Public Preview, forces or audits the passwords that the Azure AD users use; if a user tries to use an easy password, the admin has the option to just audit this attempt, or block it completely. We also have the option to specify a black list of banned passwords.

In order to configure it, you need to log on to your Azure AD Portal and then navigate to Security –> Authentication Methods:

azureadpass

Let’s talk a bit about the different options that we see here.

  1. Set your custom smart lockout threshold (number of failures until the first lockout) and duration (how long the lockout period lasts)

  2. Enter the banned password strings for your organization in the textbox provided (one string per line) and turn on enforcement of your custom list

  3. Extend banned password protection to Windows Server Active Directory by enabling password protection in Active Directory. Start with the audit mode, which gives you the opportunity to evaluate the current state in your organization. Once an action plan is finalized, flip the mode to Enforced to start protecting users by preventing any weak passwords being used.

How does the banned password list work
The banned password list matches passwords in the list by converting the string to lowercase and comparing to the known banned passwords within an edit distance of 1 with fuzzy matching.

Example: The word password is blocked for an organization

  • A user tries to set their password to “P@ssword” that is converted to “password” and because it is a variant of password is blocked.

  • An administrator attempts to set a users password to “Password123!” that converted to “password123!” and because it is a variant of password is blocked.

Each time a user resets or changes their Azure AD password it flows through this process to confirm that it is not on the banned password list. This check is included in hybrid scenarios using self-service password reset, password hash sync, and pass-through authentication.

What do users see
When a user attempts to reset a password to something that would be banned, they see the following error message:

“Unfortunately, your password contains a word, phrase, or pattern that makes your password easily guessable. Please try again with a different password.”

It’s not only for the cloud
That’s nice, because you can even use it to prevent weak passwords being used in the organization using Windows Server Active Directory. And yes, we talk about your on-premises environment!

In a single forest deployment, the preview of Azure AD password protection is deployed with the proxy service on up to two servers, and the DC agent service can be incrementally deployed to all domain controllers in the Active Directory forest.

azure-ad-password-protection

Before doing anything, I strongly suggest that you take a look at the official documentation here: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises

What kind of Azure AD licenses you need for this? 
The benefits of the global banned password list apply to all users of Azure Active Directory (Azure AD). The custom banned password list requires Azure AD Basic licenses.
Azure AD password protection for Windows Server Active Directory requires Azure AD Premium licenses.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.