Azure AD Password Protection

How often do you see users do the following things:
  1. Write their password on a post-it and stick it on their laptop or monitor
  2. Add a +1 when they need to reset their password for example they go from P@ssw0rd01 to P@ssw0rd02. That really made it harder.
  3. Create a default password like "P@ssw0rd" or "123456789" Yeah they sometimes add a 123 to make it "Difficult" haha
Now to be honest now a days you need a lot of passwords to login into all those services on the www. Keeping track of them is a difficult task. Writing them down in a notepad and storing it on your computer is NOT the way to go! To make life easier for them users got "creative". For example they use the company name + a number to keep their password. For example "AcmeCompany123". Once they had to change their password they would make it "AcmeCompany234"

As an IT admin preventing the use of these passwords is something that is hard to do. You could train the users in not using the following top 10 of passwords (Wikipedia):

Rank2011[4]2012[5]2013[6]2014[7]2015[8]2016[3]2017[9]
1passwordpassword123456123456123456123456123456
2123456123456passwordpasswordpasswordpasswordpassword
312345678123456781234567812345123456781234512345678
4qwertyabc123qwerty12345678qwerty12345678qwerty
5abc123qwertyabc123qwerty12345football12345
6monkeymonkey123456789123456789123456789qwerty123456789
71234567letmein1111111234football1234567890letmein
8letmeindragon1234567baseball123412345671234567
9trustno1111111iloveyoudragon1234567princessfootball
10dragonbaseballadobe123[a]footballbaseball1234iloveyou
But Microsoft introduced a feature in Azure AD to prevent users from filling in the easy to guess passwords.

Password protection (preview)

Password Protection enables admins to prevent users from creating passwords based on default words that are easy to guess. This prevents hackers from using the Password spray to find the passwords. 

The interface.



  • Lockout threshold - The amount of sign-ins are allowed before the account is blocked. Keep in mind that once the account is unlocked and the users fills in the wrong password the account is directly blocked.
  • Lockout duration in seconds - determine how many the user is blocked till the account is un-blocked again. 
  • Enforce custom set - Choose if you want to use a custom list of passwords for your organization. Note: Microsoft keeps track of common or compromised passwords (1) and blocks these in the Office 365 tenant to enhance the security.
  • Custom banned password list - This is a great way to create a list of passwords that are banned from your organization. Azure AD also understands the variations (2) of the passwords in the list. For example if you fill in acme as a word that has to be blocked if a user tries to use @cme or Acme123 they are variations on acme and so they will be blocked. Pretty cool hey?! Keep in mind though that it could be that banned passwords are allowed but only if they contain 5+ points. See how Microsoft scores passwords below.
Basically, we calculate a score for each password, where each character is worth a point, but any substring that matches a banned word/phrase/pattern is only worth one point in total. So:

Spring2018 = [Spring] + [2018] = 2 points
Spring2018asdfj236 = [Spring] + [2018] + [asdf] + [f] + [j] + [2] + [3] + [6] = 8 points

This lets users have passwords that are hard to guess even if they happen to contain some banned phrases. Our cutoff is currently 5+ points, and that's in addition to any other length or complexity rules.
  • Enable password protection on Windows Server active directory - If you install the agent(3) on the server you can enable the same policies on your AD as you do in the Cloud. 
  • Mode - This is a good one to keep in mind. You have 2 options:
    • Enforced - Users will not be able to set their password to the passwords you banned in the list
    • Audit - Users can use the passwords in the list but it will be logged. I think this is a cool feature because a lot of users will be using the passwords you defined and tracking them can be useful to train/inform users about the risks of a bad password. 
If you want a more in dept article about Password Protection for Azure AD please look at: https://www.semperis.com/azure-ad-password-protection/ 

Keep in mind! 

  1. Blocking bad passwords is a start but it's not 100% bullet proof. Use MFA to give users an extra layer of protection. 
  2. Having users reset their passwords every month will enable users to become less creative in writing a new password. A complex password is still complex in a year so stop the password renewal and focus on adding security like MFA or conditional access. 

Resources

https://techcommunity.microsoft.com/t5/Azure-Active-Directory-AMA/Point-scoring-system/m-p/210405/thread-id/38#M50

Comments

Post a Comment

Popular posts from this blog

Azure Information Protection (AIP)

Image
Let's start with one of my favorites (till now). Azure Information Protection (or AIP). Just imagine the following example: You are working on your Word document and you want to send this document to an external person. You e-mail that document as an attachment. The person opens this document, reads it and puts it on an USB stick to take with him. The USB stick get's lost! Now the document can have fallen into the wrong hands! Now what? OK this is a little bit of a roman but hey it could happen! Active Director Rights Management  First let us go back in time to when AIP didn't exist and there was  Active Directory Rights Management Services .  This was a server role that could be installed on Windows Server 2008 R2, it exists since Windows server 2003! Back then it was called RMS. The RMS client is available  from Windows 2000 and later. So what does RMS do? To explain in simple English: Information with RMS on it has certain policies with it  that would remain
Read more

Tiles modern UI

Image
Back in SharePoint 2013 Microsoft introduced "Promoted links" a feature which enabled users to create tiles quick and easy without any custom code. Since then I've seen Promoted links being used a lot of ways, some better than others. However creating tiles with an image in the background was always a nasty thing to do. People would use the weirdest images as background to indicate what it was, totally not user friendly. Especially the choice of the color was very "weird" you would have tiles with all sort of colors and images (see image below as an example). Promoted links always had one big problem; Scaling! It's not responsive in a way you would want to have it. Since Microsoft introduced Modern UI they have also introduced the webpart "tiles". Tiles enables the user to create custom tiles within their SharePoint site, quick and easy. Cool features of the Tiles webpart. Tiles are responsive! They resize when the screen gets smalle
Read more

Azure Active Directory (AAD)

Image
In my last post I talked about Azure Information Protection (AIP). It was a way of getting a good sense of security in the Cloud. Today I want to talk about a very important feature in Azure: Azure Active Directory (AAD). AAD is a good place to start with security. Users that are allowed or prevented from logging in is your first line of defense. In preview AAD is not something radically new. Microsoft created the Management portal om the new Azure Portal to make it look and feel like the new portal. At this moment the most users will have to use the old portal for AAD but once the new management portal is out of preview we are good to go! What has changed? So who cares? It's a new Mangement portal for AAD. To be honest nothing has really changed, Microsoft just changed the look & feel of the new portal. 3 versions There are 3 versions of the AAD: Free, Basis and Premium. See the link below to decide what versions of AAD you need. Overview AAD subscriptions F
Read more