• Dana Epp

Improvements in Password Protection in Azure AD coming

All it takes is one weak password to give away keys to the castle (so to speak). Hackers can often guess passwords because regular users are pretty predictable. They use easy to remember passwords, reuse the same ones far too frequently or use patterns that are easy to recognize. Through brute force mechanisms like password spray attacks it becomes easier to discover and compromise accounts with common passwords. This is bad, especially in cloud environments.

So in comes new capabilities in Azure AD called 'Azure AD Password Protection'. Azure AD Password Protection helps you eliminate easily guessed passwords from your environment, which can dramatically lower the risk of being compromised by a password spray attack. Specifically, these features let you:

  1. Protect accounts in Azure AD and Windows Server Active Directory by preventing users from using passwords from a list of more than 500 of the most commonly used passwords, plus over 1 million character substitution variations of those passwords.

  2. Manage Azure AD Password Protection for Azure AD and on-premises Windows Server Active Directory from a unified admin experience in the Azure Active Directory portal.

  3. Customize your Azure AD smart lockout settings and specify a list of additional company specific passwords to block.

You get this built into your Azure AD environment if you have Premium.

They also have released Smart Lockout. This takes advantage of cloud intelligence to lock out bad actors who are trying to guess your users’ passwords. That intelligence can recognize sign-ins coming from valid users and treats those differently than ones that attackers and other unknown sources. This means smart lockout can lock out the attackers while letting your users continue to access their accounts and be productive. Smart Locout is available to all editions of Azure AD.

All in all, excellent defenses to add to our arsenal against credential attacks. I only wish they would reach out to friend and fellow RD/MVP Troy Hunt and implement HIBP as part of the banned password database.