New features for enhanced password protection in Azure Active Directory

In a previous Our Thoughts on Article, we described a threat to organizations known as password spraying, in which an attacker attempts to login to all usernames the attacker is aware of with a single password.  The attacker, with a large array of user logins, attempts to find an account with a commonly guessable password, whether it be a frequently used password or one related to the company being attacked.  One of the best ways to avoid common passwords is to ensure users create passwords that are not easily guessable.  Many organizations’ password requirements and restrictions—despite being robust—occasionally also fail to keep user passwords from being easily guessed, such as “Spring2019!” or “Passw0rd!” and so on.

If your organization utilizes Office 365 with Azure AD integration (whether fully in the cloud or with a hybrid on-premises and cloud environment), Microsoft has released a new feature to help users create stronger passwords.  On April 2nd, 2019, Microsoft made Azure AD Password Protection generally available to organizations with either Azure AD Premium P1 or P2. 

This new software feature enables organizations to configure AD Password Protection on ID’s and prevent usage of a global password list. Microsoft continues to develop this list by reviewing publically known breached password listings.  While Microsoft does not provide details on the passwords contained within the global password list, Microsoft has indicated that they continually update the list based on the ever-changing threat environment.  Additionally, organizations can establish an additional layer of prevention by providing their own custom password listings in the AD Password Protection configuration.  This allows an organization to prohibit passwords that use their own name, commonly known information about the organization or any other passwords for which the organization may have concerns.

Azure AD Password Protection also performs a three-step process to check for similar passwords to the blocked global or custom password list:

  • Step 1: The password will be normalized (changing an “@” -> “a” or a “0” -> “o”) to check for users performing simple character replacements.

  • Step 2: The software will check for fuzzy matching of a banned password by seeing if a character was changed by a distance of 1 (“1” -> “2” or “a” -> “b”)

  • Step 3: The software will check to see if a banned password is contained within a longer password.A banned password counts as 1 point in a required 5 point scoring system.A banned password is considered acceptable if the password contains an additional 4 unique characters before or after it, to obtain the additional required 4 points (where each unique character counts as 1 additional point).

The Azure AD Password Protection software is an easy and free way for users with Azure AD Premium P1 or P2 to offer an extra layer of user password complexity beyond the standard mix of characters and minimum length to which users are accustomed.  To enable these features, simply go to the Authentication Methods under Azure Active Directory in your Azure cloud environment.  Additional details on setting up the service can be found in the Microsoft Tech Community: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Azure-AD-Password-Protection-is-now-generally-available/ba-p/377487

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2023 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
SEC Charges SolarWinds and CISO Timothy Brown For Misleading Investors
Think Before You Click: Fake Browser Updates are Back in Style
Protect Your Manufacturers: 3 Common Cyber Attack Methods to Watch Out for in 2023
Protect Your Students, Faculty and Staff: 3 Common Cyber Attack Methods to Watch Out for in 2023
Protect Your Retail Business: 3 Common Cyber Attack Methods to Watch Out for in 2023
Cybersecurity in the Construction Industry
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us
Pittsburgh

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.

×