Password protection and management capabilities of Azure AD
In this tutorial, we will learn and understand the password protection and management capabilities of Azure AD.
Password Protection is a feature of Azure AD for reducing the risk of users setting weak passwords. Azure AD Password Protection detects and blocks known weak passwords and their variants, and can also block other weak terms that are specific to your organization.
However, with Azure AD Password Protection, default global banned password lists are automatically applied to all users in an Azure AD tenant. For supporting your own business and security needs, you can define entries in a custom banned password list.
Global banned password list
- A global banned password list with known weak passwords is automatically updated and enforced by Microsoft. Azure AD Identity Protection team maintains the list, which analyzes security telemetry data to find weak or compromised passwords.
- Further, variations are created using an algorithm that transposes text cases and letters to numbers such as “1” to an “l”.
- After that, these passwords are then checked and added to the global banned password list and made available to all Azure AD users.
- However, if an Azure AD user tries to set their password to one of these weak passwords, they receive a notification to choose a more secure one.
- Lastly, this approach improves the overall security and effectiveness, and the password validation algorithm also uses smart fuzzy-matching techniques. Azure AD Password Protection efficiently detects and blocks millions of the most common weak passwords in your enterprise.
Custom banned password lists
Admins can also create custom banned password lists to support specific business security needs. The custom banned password list prohibits passwords such as the organization name or location. Further, passwords added to the custom banned password list should be focused on organizational-specific terms such as:
- Firstly, brand names
- Secondly, product names
- Thirdly, locations, such as company headquarters
- Then, company-specific internal terms
- Lastly, abbreviations that have specific company meaning
Protecting against password spray
Azure AD Password Protection helps you defend against password spray attacks. Most password spray attacks submit a few of the known weakest passwords against each of the accounts in an enterprise. Moreover, this technique allows the attacker to quickly search for an easily compromised account and avoid potential detection thresholds.
Further, Azure AD Password Protection efficiently blocks all known weak passwords to avoid using them in password spray attacks. This protection depends on real-world security telemetry data from Azure AD. This is for building the global banned password list.
Hybrid security
For hybrid security, admins can integrate Azure AD Password Protection within an on-premises Active Directory environment. A component installed in the on-premises environment receives the global banned password list and custom password protection policies from Azure AD. Domain controllers then use them to process password change events. This hybrid approach makes sure that Azure AD Password Protection applies wherever a user changes their password,
Azure AD Password Protection working
The on-premises Azure AD Password Protection components work as follows:
- Firstly, each Azure AD Password Protection Proxy service instance advertises itself to the DCs in the forest by creating a serviceConnectionPoint object in Active Directory. However, each DC Agent service for Azure AD Password Protection also creates a serviceConnectionPoint object in Active Directory.
- Secondly, the DC Agent service is responsible for initiating the download of a new password policy from Azure AD. The first step is to locate an Azure AD Password Protection Proxy service by querying the forest for proxy serviceConnectionPoint objects.
- Thirdly, DC Agent sends a password policy download request to the proxy service after finding the available proxy service. The proxy service in turn sends the request to Azure AD, then returns the response to the DC Agent service.
- After the DC Agent service receives a new password policy from Azure AD, the service stores the policy in a dedicated folder at the root of its domain sysvol folder share. The DC Agent service also monitors this folder in case newer policies replicate in from other DC Agent services in the domain.
- Then, the DC Agent service always requests a new policy at the service startup. After starting the DC Agent service, it checks the age of the current locally available policy hourly. If the policy is older than one hour, the DC Agent requests a new policy from Azure AD via the proxy service, as described previously. If the current policy isn’t older than one hour, the DC Agent continues to use that policy.
- Lastly, when DC receives password change events, the cached policy determines the new password acceptance or rejection.
Reference: Microsoft Documentation, Doc 2