Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2019-10-18) Azure AD Password Protection (A.k.a. Banned Password List) – At A High Level (Part 1)

Posted by Jorge on 2019-10-18


AD has something like complexity requirements, and that means that C0mpany01 is a strong password. It may have been more than a decade ago, but it is not today. Hackers laugh at passwords like those. Quite some time ago Azure AD introduced something, initially called “Banned Password List (BPL), and called “Azure AD Password Protection” today. This is all about defining a list of words that are considered to be too common to be used in passwords, as those render the password to be weak as well. The list of banned words is defined in Azure AD, by Microsoft (the Global List) and by the owner/admin of the AAD Tenant (Custom Per Tenant List). DCs in the AD forest have a DC agent installed that retrieve the list of banned words through a proxy service. The DCs do not require direct connection to Azure AD. This Azure AD feature is really important to enhance the current use of passwords within organizations.

To read more about the architecture and how it all fits together, please see: Enforce Azure AD password protection for Windows Server Active Directory

Regarding the list of words, there is a global Microsoft list that nobody knows the content of, except Microsoft of course. The global list of banned words is not fully localized (English Only). For example, it prohibits "welkom" (welcome in Dutch), but it allows "wachtwoord" (password in Dutch), while it denies both "password" and "welcome" in English. Weird. In addition to that you can define your own custom list.

When defining that per list you need to take the following characteristics into account:

  • Minimum character length for each word = 4 or higher
  • Maximum character length for each word = 16 or less
  • The custom list supports a maximum of 1000 words

In the next blog post I’ll continue with its configuration.

More Information about this:

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

 
%d bloggers like this: