Cyscale
Back to controls

Ensure a Custom Bad Password List is set to 'Enforce' for your Organization

Microsoft Azure provides a Global Banned Password policy for Azure administrative and normal user accounts. This is not applied to user accounts synced from an on-premise Active Directory unless Azure AD Connect is used, and you enable `EnforceCloudPasswordPolicyForPasswordSyncedUsers`. Please see the list of default values on the specifics of this policy. To further password security, it is recommended to further define a custom banned password policy. Organizational-specific terms can be added to the custom banned password list, such as the following examples:

Category

Controls

Low

Applies to

Microsoft Entra ID

Coverage

null controls, 1 queries

Asset types

1 covered

Overview

Microsoft Azure provides a Global Banned Password policy for Azure administrative and normal user accounts. This is not applied to user accounts synced from an on-premise Active Directory unless Azure AD Connect is used, and you enable EnforceCloudPasswordPolicyForPasswordSyncedUsers. Please see the list of default values on the specifics of this policy. To further password security, it is recommended to further define a custom banned password policy. Organizational-specific terms can be added to the custom banned password list, such as the following examples:

  • Brand names
  • Product names
  • Locations, such as company headquarters
  • Company-specific internal terms
  • Abbreviations that have specific company meaning
  • Months and weekdays with your company's local languages

Rationale

Enabling this gives your organization further customization on what secure passwords are allowed. Setting a bad password list enables your organization to fine-tune its password policy further, depending on your needs. Removing easy-to-guess passwords increases the security of access to your Azure resources.

Impact

Increasing the needed password complexity might increase the overhead of the administration of user accounts. The licensing requirements for the Global Banned Password List and Custom Banned Password list require Microsoft Entra ID P1 or P2. On-premises Active Directory Domain Services users not synchronized to Microsoft Entra ID also benefit from Microsoft Entra ID Password Protection based on existing licensing for synchronized users.

Default Value

By default, the custom bad password list is not 'Enabled'. The default Azure bad password policy is described here.

Remediation guidance

  1. Open the Security | Authentication methods | Password protection.
  2. Set the Enforce custom list option to Yes.
  3. Add the terms to the Custom banned password list.

Multiple Remediation Paths

SERVICE-WIDE (RECOMMENDED when many resources are affected): Apply organization/tenant-level guardrails and baseline policies for the entire platform.

ASSET-LEVEL: Fix only the affected resources identified by this control.

PREVENTIVE: Add preventive policy checks to CI/CD and periodic posture scans.

References for Service-Wide Patterns

  • Platform policy/governance and preventive control patterns should be applied tenant-wide where supported.

Query logic

These are the stored checks tied to this control.

Entra Tenants without custom password policies

Connectors

Microsoft Entra ID

Covered asset types

Connector

Expected check: eq []

{
  connectors(
    where: { passwordRuleSettings: { enableBannedPasswordCheck: false } }
  ) {
    ...AssetFragment
  }
}
Cyscale Logo
Cyscale is an agentless cloud-native application protection platform (CNAPP) that automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

© 2026 Cyscale Limited

© 2026 Cyscale Limited

Terms of useSecurity PolicyPrivacy PolicyStatusSitemap
Terms of useSecurity PolicyPrivacy Policy
StatusSitemap
LinkedIn icon
Twitter icon
Facebook icon
crunch base icon
angel icon