Azure AD Password Protection
Overview
By defining appropriate Group Policies (Minimum Password Length, Minimum Password Age, Maximum password Age, Password must meet complexity requirements, Enforce Password History) in Active Directory it is possible to implement a suitable password management strategy for your users.
However, this cannot and should not be considered sufficient, as a user would still be able to create “vulnerable” passwords (for example “P@ssw0rd.1!“) With a number of characters greater than 8 characters and with Special “characters”.
Azure AD Password Protection is the feature that allows you to improve security from this point of view as well.
Solution
The service uses the Global Banned Password List, a dynamic list of “banned” passwords generated and maintained through the analysis of Azure Active Directory security telemetry data by Microsoft itself.
By creating a Custom Banned Password List, an organization would have the opportunity to further improve security.
Requirements
The license required is Azure Active Directory (Azure AD). There are three different editions of Azure AD: Free, Premium P1 and Premium P2.
- The Microsoft Enterprise Mobility + Security (EMS) suite includes Azure Active Directory Premium. In particolar: 1. EMS E3 include Azure Active Directory Premium P1 2. EMS E5 include Azure Active Directory Premium P2
- The operating system of the servers on which to install the “Azure AD Password Protection Proxy” service must be at least Windows Server 2012 R2
Benefits
- Minimize the possibility that users use “vulnerable” passwords;
- Protection against «password spray» attacks.