Implementing and managing Azure AD password protection– Planning and Implementing Authentication
Azure AD password protection is a set of features designed to limit the effects of common password attacks. To view the password protection configuration, navigate to Azure Active Directory | Security | Authentication methods and select Password protection.
Figure 7.28 – Password protection
There are three groups of settings to configure:
- Custom smart lockout
- Custom banned passwords
- Password protection for Windows Server Active Directory
Let’s briefly examine each set of configurations.
Custom smart lockout
The smart lockout settings determine how Azure AD handles failed login attempts. Lockout threshold is the number of times in a row a user can enter a bad password before getting locked out. By default, Lockout threshold is set to 10 in Azure Worldwide (sometimes referred to as Commercial or Public) and Azure China 21Vianet tenants, while it is set at 3 for Azure US Government customers.
Figure 7.29 – Account lockout
Lockout duration in seconds only specifies the initial lockout duration after the lockout threshold has been reached. Each subsequent lockout increases the lockout duration. As a security mechanism, Microsoft does not publish the rate at which the duration increases.
Custom banned passwords
While Microsoft recommends moving toward password-less authentication as a primary mechanism, passwords are still required to be configured in a number of scenarios. To help minimize using well-known, weak, or easily guessable passwords, you choose to specify a custom list of words that you want to exclude from being used as passwords. For example, you may wish to include your organization’s name or abbreviation, products or services offered by your organization, or local sports teams.
To enable the option, slide the Enforce custom list toggle to Yes, and then add up to 1,000 banned words in the Custom banned password list text area. The list is not case-sensitive. Azure AD automatically performs common substitutions (such as 0 with o),
Password protection for Windows Server Active Directory
This settings area allows you to extend the custom banned password list to your on-premises infrastructure. There are two components:
- Azure AD Password Protection DC agent, which must be installed on domain controllers.
- Azure AD Password Protection proxy, which must be installed on at least one domain-joined server in the forest. As a security best practice, Microsoft recommends deploying on a member server since it requires internet connectivity.
In this configuration, the Azure AD Password Protection proxy servers periodically retrieve the custom banned password list from Azure AD. The DC agents cache the password policy locally and validate password change requests accordingly.
If Enable password protection on Windows Server Active Directory is configured to Yes, then you can choose in what mode to process password change requests. They can be processed in Audit mode (where changes are logged) or in Enforced mode, where password resets are actively evaluated against the banned password list and rejected if they do not meet the requirements.
Further reading
To view detailed steps for deploying password protection on-premises, see here: https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-on-premises.