Azure AD Password Protection: The good, the bad, and the ugly


People often use common words as their passwords so they don’t forget them. This practice impacts security severely, making it easy for hackers to easily breach accounts by guessing these common passwords. Microsoft’s Azure AD Password Protection is a feature that aims to help organizations eliminate weak and commonly-used passwords by essentially acting as a password filter that rejects frequently used, easily hackable passwords. However, Azure AD Password Protection isn’t perfect.

The “Good”

Global banned password list

Microsoft has compiled a list of passwords that are deemed too common in a global banned password list. It’s a list of around 1,000 passwords that are not publicly disclosed. By default, this list applies to everyone using Azure AD, meaning they’re not able to use any of those passwords.

Custom banned password list

For organizations that want to have control over which words or phrases are banned, Microsoft provides an option to add custom values to the banned list. This helps organizations block variants of their own brand names, company-specific terms, etc. The custom list augments the global banned password list.

Password evaluation method

Microsoft employs a variety of processes to make sure even a variant of a banned password doesn’t pass through its filters. It uses multiple factors to calculate a password score, which determines whether a password is accepted or not. For more information on how passwords are evaluated, refer to Microsoft’s documentation.

The “Bad”

If you don’t have Azure AD, you can’t use Password Protection

If you only have on-premises AD in your IT environment, you cannot use Azure AD Password Protection. You need an Azure AD subscription and must enable sync through Azure AD Connect to use this feature.

P1 license requirement

To extend Azure AD Password Protection to on-premises AD, not only do you need Azure AD, but you need an Azure AD Premium 1 (P1) subscription at minimum; this costs $6 per user, per month.

A reboot of the domain controller (DC) is required to install or upgrade the agent

In on-premises AD, you need to install and configure a DC agent and a proxy service in all the domain controllers of a domain. It’s a complex process, and even if you manage to do it successfully, you need to reboot all the domain controllers after installation and during every upgrade.

The “Ugly”

Lack of customization and visibility

The global password list is not publicly available, and is subject to change at any time without prior notice. Even the password evaluation methods may change. Moreover, other than adding your own banned list of passwords, you cannot customize any of the options, such as changing the password score limit.

No OU or group-based enforcement

The Password Protection feature cannot be applied to a particular subset of users. When enabled, it applies to everyone in the AD domain, so if you want to enforce password protection for privileged users only, you’re out of luck. For example, if you’re an educational institution, you cannot enforce password protection for teaching staff without it affecting the students’ accounts, too.

Confusing error messages might increase help desk calls

When users change their passwords from the Windows logon screen or use other native options, they’ll receive a generic “Your password does not match complexity requirements” message. Users can try entering uppercase and lowercase letters, numbers, and special characters; however, if the password fails to pass the password score limit, there’s no way for them to know why their password choice was rejected. As a result, even a simple password change operation can lead to help desk calls and affect employee productivity.

ADSelfService Plus: A better alternative to Azure AD Password Protection

ADSelfService Plus is an integrated Active Directory self-service password management and single sign-on (SSO) solution. The Password Policy Enforcer feature in ADSelfService Plus accomplishes everything that Azure AD Password Protection does and more. For more information, refer to this document that compares ADSelfService Plus with Azure AD Password Protection.

Want to try the Password Policy Enforcer feature for yourself? Download a free, 30-day trial of ADSelfService Plus.

** Optrics Inc. is an Authorized ManageEngine partner

The original article can be found here:

Leave a Reply