Source: Microsoft Entra Password Protection – Microsoft Entra ID | Microsoft Learn
CHECK OUT MY OTHER ENTRA ID PASSWORD PROTECTION GUIDE ON HOW TO DEPLOY TO LEGACY ACTIVE DIRECTORY FOR SYNCED USERS: Password Protection Policy – Hybrid mode to on-premise AD – Christoffer Klarskov Jakobsen – Microsoft Architect
License requirement: default enabled Microsoft global banned passwords list are enabled for all tenants and all users with Entra ID Free plan, but only cloud only users.
Custom banned passwords lists and synced users require Entra ID P1 or P2 license.
It is super easy to configure a custom banned password list for a customer.
Simple navigate to https://entra.microsoft.com
Locate Protection and then Authentication Methods:
Then go to Password Protection:
Note the the lockout duration in seconds is only 60, but the notification tells us that repeated lockouts will increase the duration automatically.
Generate a list of custom banned passwords.
(Microsoft recommends: A list of words, one per line, to prevent your users from using in their passwords. You should include words specific to your organization, such as your products, trademarks, industries, local cities and towns, and local sports teams. Your list can contain up to 1000 words. These are case insensitive, and common character substitutions (o for 0, etc) are automatically considered.)
Save and test it by trying to reset a users password an include a word or similar word from the custom banned list.
Comments