Microsoft Entra IDOverview
Microsoft Azure provides a Global Banned Password policy for Azure administrative and normal user accounts. This is not applied to user accounts synced from an on-premise Active Directory unless Azure AD Connect is used, and you enable EnforceCloudPasswordPolicyForPasswordSyncedUsers. Please see the list of default values on the specifics of this policy. To further password security, it is recommended to further define a custom banned password policy. Organizational-specific terms can be added to the custom banned password list, such as the following examples:
- Brand names
- Product names
- Locations, such as company headquarters
- Company-specific internal terms
- Abbreviations that have specific company meaning
- Months and weekdays with your company's local languages
Rationale
Enabling this gives your organization further customization on what secure passwords are allowed. Setting a bad password list enables your organization to fine-tune its password policy further, depending on your needs. Removing easy-to-guess passwords increases the security of access to your Azure resources.
Impact
Increasing the needed password complexity might increase the overhead of the administration of user accounts. The licensing requirements for the Global Banned Password List and Custom Banned Password list require Microsoft Entra ID P1 or P2. On-premises Active Directory Domain Services users not synchronized to Microsoft Entra ID also benefit from Microsoft Entra ID Password Protection based on existing licensing for synchronized users.
Default Value
By default, the custom bad password list is not 'Enabled'. The default Azure bad password policy is described here.
Remediation guidance
- Open the Security | Authentication methods | Password protection.
- Set the
Enforce custom listoption toYes. - Add the terms to the
Custom banned password list.
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Microsoft Entra ID
Use tenant-wide Conditional Access, role settings, authentication policies, and identity governance baselines so the control is enforced centrally.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Entra Tenants without custom password policies
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { passwordRuleSettings: { enableBannedPasswordCheck: false } }
) {
...AssetFragment
}
}
