Use Microsoft Entra ID Password Protection to defend against password spray attacks


Working on my own tenant resulted in re-visiting the password protection policies that I had configured some time ago. As a result, I wanted to explore all possible settings and thus came about the idea of putting a blog post together.

Recent studies suggest that weak passwords are often the root cause of data breaches, hacks, and other cybersecurity incidents. They’re the weak link in the chain, easily guessable by hackers looking to brute force their way into a business or individual’s online accounts. This is where the need for strong Password protection policies comes into play.

Microsoft Entra ID Password Protection 

Microsoft Entra ID Password Protection can help you defend against password spray attacks. Most password spray attacks don't attempt to attack any given individual account more than a few times. This behavior would increase the likelihood of detection, either via account lockout or other means.

The majority of password spray attacks submit only a small number of the known weakest passwords against each of the accounts in an enterprise. This technique allows the attacker to quickly search for an easily compromised account and avoid potential detection thresholds.

Microsoft Entra ID Password Protection efficiently blocks all known weak passwords likely to be used in password spray attacks. This protection is based on real-world security telemetry data from Microsoft Entra ID to build the global banned password list.

Many organizations have a hybrid identity model that includes on-premises Active Directory Domain Services (AD DS) environments. To extend the security benefits of Microsoft Entra ID Password Protection into your AD DS environment, you can install components on your on-premises servers. These agents require password change events in the on-premises AD DS environment to comply with the same password policy as in Microsoft Entra ID.

Eliminate bad passwords using Azure Active Directory Password Protection

Global banned password list

The Microsoft Entra ID Identity Protection team constantly analyzes Microsoft Entra ID security telemetry data looking for commonly used weak or compromised passwords. The analysis looks for base terms that often are used as the basis for weak passwords. When weak terms are found, they're added to the global banned password list. The contents of the global banned password list are on the results of Microsoft Entra ID security telemetry and analysis.

Custom banned password list

Organizations can improve their cyber security by adding their own customizations on top of the global banned password list. Terms added to the custom banned password list should be focused on organizational-specific terms such as the following examples:

-Brand names
-Product names
-Locations, such as company headquarters
-Company-specific internal terms
-Abbreviations that have specific company meaning

I scoured through the internet and put a list of most commonly used passwords.


Note: Instead of blocking specific variation of terms like Password123 or Password@123, just look at blocking the key base term. Ex - Password. This is because the password validation algorithm will automatically block weak variants and combinations.

Here is how you can configure them in your tenant -

1. Sign in to the Microsoft Entra ID portal using an account with global administrator permissions.

2. Under Protection, select Authentication methods, then Password protection.

3. Set the option for Enforce custom list to Yes.

Add strings to the Custom banned password list, one string per line. The following considerations and limitations apply to the custom banned password list:

-The custom banned password list can contain up to 1000 terms.
-The custom banned password list is case-insensitive.
-The custom banned password list considers common character substitution, such as "o" and "0", or "a" and "@".
-The minimum string length is four characters, and the maximum is 16 characters.

4. Set Mode to Enforced

Note: You have the option to set it to Audit as well which will only log the attempt made by the user. Also, it may take several hours for updates to the custom banned password list to be applied.

User Experience

When a user attempts to reset a password using to something that's on the global or custom banned password list, they see one of the following error messages:

-Unfortunately, your password contains a word, phrase, or pattern that makes your password easily guessable. Please try again with a different password.

-Unfortunately, you can't use that password because it contains words or characters that have been blocked by your administrator. Please try again with a different password.

Final Thoughts

Please note that even if a user's password contains a banned password, the password may be accepted if the overall password is otherwise strong enough. When terms are added to the custom banned password list, they're combined with the terms in the global banned password list. Password change or reset events are then validated against the combined set of these banned password lists.

Tip: Use User risk and Risky sign-in together with Microsoft Entra ID password protection to defend against brute force and spray attacks. I blogged about it earlier this year which you can refer to over here.


Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

Intune: Configure Printers for Non-Administrative Users

How to Whitelist apps using Applocker in Intune