Azure AD Security and Password Protection

2019-02-13 19:00:00
Posted by aeadmin on Feb 13, 2019 11:00:00 AM

 

Microsoft continues to address vulnerabilities around user identity and has integrated a solution in Azure AD (currently in public preview) that enhances password policies to protect against common, weak passwords. Organizations can now configure their change/reset process to flow passwords through a sequence in which they are validated against banned passwords lists. If users attempt to use a banned password, they are notified that the password is vulnerable and will need to try a different password.

Azure AD Password Protection takes the new password provided during the reset process and converts the string to lowercase characters. The entry is then compared to the global and custom banned password lists using approximate string matching or “fuzzy matching.” In the example below, the word Ouredge has been added to the custom password list. If a user attempted to reset the password to our3dge2019 (note the 3) this password would be converted to ouredge2019 and rejected.

password protection

Microsoft manages the global banned password list, which comprises entries the AD Identity Protection team has identified as vulnerable and commonly used. Organizations have the option to enforce a custom list of banned passwords. While the approach for creating a custom list will vary, an organization should consider banning words and phrases commonly associated with users, including a mascot name or other company-specific products or terms.

Password Protection is currently available in preview for all SKUs including Azure AD Basic and Free. It can be extended to protect hybrid deployments with an on-premises Active Directory environment by using an Azure AD Premium subscription, and it works in conjunction with other features such as Self-Service Password Reset and Passthrough Authentication. The on-premises deployment requires the installation of two separate lightweight agents: “DC Agent Service” on all domain controllers (Windows Server 2012 or later) and “Proxy Service“ on dedicated member servers (Windows Server 2012 R2 or later). No network changes or Internet connectivity is required for the DCs and no changes are made to the schema. Please note this feature is not a real-time policy application engine and there may be delays between a password policy configuration change and replication across all domain controllers.

Prior to implementing any identity management features, it is important to understand the end-user experience and how they will be impacted. This can be accomplished in “Audit Mode” to conduct initial monitoring and identify any trends of weak passwords in the organization. Developing a solid deployment plan and properly communicating the initiative to the organization are keys for a successful deployment.

Technical References
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-deploy
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-faq

Written and composed by Raul Perez, Microsoft Systems Engineer

Tags: Technology, Azure, cybersecurity, Microsoft, Azure AD

    Microsoft Teams  Switch on the  Power of Teamwork Today!

    We're here to help!

    We'd love to find out more about the projects and initiatives you're working on to exchange ideas and provide some high-level guidance where we can.  We love learning from others as well as sharing some of our experience and lessons learned.  Let's talk!

    Subscribe to Email Updates

    Recent Posts

    Posts by Tag

    see all