All administrator and user accounts that have been created and maintained in Azure AD have a password policy applied. With a password policy you can prohibit weak passwords and set parameters that will lock out an account after a specified number of failed login attempts. Table 7.5 comes directly from Microsoft’s website and shows the Azure AD password policy requirements that will apply to all passwords that are created, changed, or reset in Azure AD.

TABLE 7.5 Azure AD password policy requirements

PropertyRequirements
Characters allowedUppercase characters (A–Z) Lowercase characters (a–z) Numbers (0–9) Symbols: @ # $ % ^ & * – _ ! + = [ ] { } | \ : ‘ , . ? / ` ~ ” ( ) ; < > blank space
Characters not allowedUnicode characters
Password lengthPasswords require A minimum of eight characters A maximum of 256 characters
Password complexityPasswords require three out of four of the following categories: Uppercase characters Lowercase characters Numbers Symbols
Password not recently usedWhen a user changes or resets their password, the new password can’t be the same as the current or recently used passwords.
Password isn’t banned by Azure AD Password ProtectionThe password can’t be on the global list of banned passwords for Azure AD Password Protection, or on the customizable list of banned passwords specific to your organization.

In Azure Active Directory Domain Services (Azure AD DS) you can define fine­ grained password policies (FGPPs) to manage user security. These FGPPs can control account lockout settings or minimum password length and complexity. A default FGPP is created and applied to all users in an Azure AD DS managed domain. In a managed domain, policies are distributed through group association and any changes made will be applied when the user next logs on. Also, depending on how the user account was created, password policies may perform a bit differently. There are two ways that a user account can be created in Azure AD DS:

       The account can be synchronized in from Azure AD. This includes cloud­ only user accounts created directly in Azure, and hybrid user accounts synchronized from an on­ premises AD DS environment using Azure AD Connect.

The account can be manually created in a managed domain; they don’t exist in Azure AD.

All users will have the following account lockout policies applied by default:

     Account lockout duration: 30

      Number of failed logon attempts allowed: 5

      Reset failed logon attempts count after: 2 minutes

      Maximum password age (lifetime): 90 days

For user accounts that were created manually in a managed domain, there are a few more password settings that are also applied to the default policy. These settings do not apply to user accounts that are synchronized in from Azure AD, as a user can’t update their password directly in Azure AD DS. These additional password settings are

      Minimum password length (characters): 7

     Passwords must meet complexity requirements

You can also create a custom password policy to meet your corporate needs. Custom password policies are applied to groups in a managed domain. This configuration will override the default policy. To create a custom password policy in a managed domain, you must be signed in to a user account that’s a member of the AAD DC Administrators group. To create a custom password policy, follow these steps:

  1. From the Start screen, select Administrative Tools.
  2. Select Active Directory Administrative Center from the list of administrative tools to create and manage OUs.
  3. In the left pane, choose your domain.
  4. Open the System container, then the Password Settings Container. A built­ in password policy for the managed domain is shown. You cannot change the built­ in policy. Instead, create a custom password policy to override the default policy.
  5. In the Tasks panel on the right, select New and then Password Settings.
  6. In the Create Password Settings dialog box, enter a name for the policy.
  7. When multiple password policies exist, the policy with the highest precedence is applied to a user. The lower the number, the higher the priority. The default password policy has a priority of 200. Set the precedence for your custom password policy to be lower than the default.
  8. Edit the password policy settings. Account lockout settings apply to all users, but only take effect within the managed domain and not in Azure AD itself.
  9. Uncheck Protect from accidental deletion. If this option is selected, you can’t save the FGPP.
  10. In the Directly Applies To section, click the Add button. In the Select Users or Groups dialog box, click the Locations button.
  11. Password policies can only be applied to groups. In the Locations dialog box, expand the domain name and then select an OU. If you have a custom OU that contains a group of users you wish to apply, select that OU.
  12. Type the name of the group you wish to apply the policy to, then click Check Names to validate that the group exists.
  13. With the name of the group you selected now displayed in Directly Applies To section, click OK to save your custom password policy.
Enable Password Block Lists

Azure AD Password Protection can detect and block known weak passwords and their variants, and you can also block additional weak passwords that you set by creating a custom banned password list. Azure AD Password Protection has a default global banned password list that is automatically applied to all users in your Azure AD tenant.

The Azure AD Identity Protection team constantly analyzes Azure AD security telemetry data to look for passwords that are commonly used, compromised, or weak. When the team finds these types of passwords, they are added to the global banned password list. Then, if a password is changed or reset for an Azure AD tenant user, the current version of the global banned password list is used to validate the strength of the password. This validation check ensures stronger passwords for all Azure AD customers. The global banned password list is applied automatically to all users in an Azure AD tenant and cannot be disabled.

You can further improve security by creating a custom banned password list. The custom banned password list works with the global banned password list. The custom banned password list is limited to a maximum of 1,000 terms and is not designed to block large lists of passwords. You can add additional entries to the custom banned password list at any time. Organizational­ specific terms can be added to the custom banned password list, such as:

          Abbreviations that have specific company meaning

■        Brand names

        Company­s pecific internal terms

         Locations, such as company headquarters

          Months and weekdays with your company’s local languages

■         Product names

If a user tries to reset a password to something that’s on the global or custom banned password list, they see one of the following error messages:

       Unfortunately, your password contains a word, phrase, or pattern that makes your password easily guessable. Please try again with a different password.

   Unfortunately, you can’t use that password because it contains words or characters that have been blocked by your administrator. Please try again with a different password. To configure a custom banned password list, perform the following:

  1. Sign into the Azure portal using an account with global administrator permissions.
  2. Search for and select Azure Active Directory, then choose Security from the menu on the left­h and side.
  3. Under the Manage menu, select Authentication Methods, then Password Protection.
  4. Set the option for Enforce Custom List to Yes.
  5. Add strings to the Custom Banned Password list, one string per line. The following considerations and limitations apply to the custom banned password list:

        The custom banned password list can contain up to 1,000 terms.

       The custom banned password list is case­i nsensitive.

       The custom banned password list considers common character substitution, such as o and 0, or a and @.

       The minimum string length is four characters, and the maximum is 16 characters.

  1. Leave the option Enable Password Protection On Windows Server Active Directory set to No.
  2. To enable the custom banned passwords and your entries, click Save. It may take several hours for updates to the custom banned password list to be applied.

Categories: