Azure Active Directory Feature Bans Custom Words from User Passwords

The Scourge of Bad Passwords

Bad passwords for Azure Active Directory accounts are those that are easy to guess, overly simple, or common. “Password123” is a good example of a password that you wouldn’t like to see someone using, especially if they use the same password for multiple sites and so expose themselves to the dangers of being pwned, which is when the bad guys retrieve a username and password combination from a compromised site and use the pair to do some harm (see this article for how to check that Office 365 accounts have not been pwned).

Custom Banned Passwords

Azure Password Protection, a feature of Azure Active Directory, does its bit to eliminate bad passwords by maintaining a global banned password list generated by observing how password are created and compromised across the breadth of Microsoft’s cloud properties. In November, Microsoft added the ability for a tenant to add a set of custom banned passwords to the list, such as the name of the company, trademarks, or brand names. The feature is in preview, but it seems like such a simple and good idea that it should find its way into general availability soon and then become part of the norm for Azure Active Directory.

To configure custom banned passwords, go to the Azure Active Directory portal, select Authentication Methods, and then Password Protection. As shown below, you then enter a list of custom words, choose to enforce the list, and Save.

Adding custom banned passwords

Immediately, Azure Active Directory includes the custom words in its validation of changes to user passwords. As explained in Microsoft’s article, “the banned password list matches passwords in the list by converting the string to lowercase and comparing to the known banned passwords within an edit distance of 1 with fuzzy matching.

Testing a Banned Word

As a test, I signed into a user account and went to their Office 365 settings to change the account password. In this case, “England” is a word on the banned list, and I entered “England2018!” as the new password. At first glance, this is a strong password because it has a mixture of uppercase and lowercase letters, some numbers, and a special character. But because the new password matched a banned word, Office 365 rejected it and told the user to choose a password that’s harder for people to guess.

Failure because a word in the chosen password is on the banned list

The Need for User Education

At this point, the user is probably a tad bemused because they have done what they think is the right thing to create a good password, so they’ll probably call the help desk. User education and information needs to be part of the introduction of features like this, unless your help desk likes to be swamped with calls.

Licensing

Using the global banned password list is free for cloud-only Office 365 user. Things get a little more interesting (potentially expensive) when you have synchronized on-premises users or want to use custom banned words with cloud-only users. On-premises users need an Azure AD Premium license, while cloud-only users need an Azure AD Basic license to use custom words. Office 365 comes with an Azure AD Free license, but the need to upgrade is probably not an issue for the enterprise customers to which a feature like this is most useful as it’s likely that they have Enterprise Mobility and Security licenses to cover the requirement.

See this blog by hosting guru Oliver Moazzezi for information about how to integrate on-premises Active Directory with Azure Password Protection. Further in-depth coverage is also available in the blog of MVP Brian Reid.

Not a Magic Bullet

Features like this are not a magic bullet against hacker attacks. Instead, they are individual bricks in a wall of preventative measures that an Office 365 tenant can erect to limit the attack surface for hackers. Disabling basic authentication for Exchange Online to reduce the effectiveness of password spraying attacks is another example. Ensuring that high-profile users and all administrator accounts use multi-factor authentication is yet another.

The point is that hackers don’t stop thinking about how they can break into systems. Office 365 tenant administrators need to keep raising their game too as otherwise their tenant will eventually be compromised.


Identities are covered in depth in Chapter 3 of the Office 365 for IT Pros eBook. And then you’ll probably want to read Chapter 4 to brush up on Office 365 management.

Advertisements

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.