Passwords continue to be the most preferred form of authentication for securing business data and resources of organizations around the globe. They can be changed instantaneously and can be used as a combination of alphabets, numbers, and special characters. On the flip side, these are relatively easy to crack especially with the aid of technology. Human fallacies such as the use of common words and terms or using the same password across different platforms only compound the problem. Importantly, the policies which determine how strong passwords should be, have not changed in decades especially for on-premises systems providing sufficient time for hackers to decode the settings. Azure AD Password Protection is an important service that fixes these security gaps.
Advantages of Azure AD Password Protection
Azure AD Password Protection eliminates the chances of users choosing weak and vulnerable passwords. It allows organizations to customize lockout settings for the environments in which it is deployed. Let us take a look at the other advantages of deploying Azure AD Password Protection.
Telemetry Based Global Banned Password List
Microsoft employs a dedicated team to analyze Azure AD security telemetry data to identify weak base terms that result in compromised passwords. These terms are added to the global banned password list on an ongoing basis. When users change their passwords or reset for any tenant in Azure AD, the latest version of the global banned password list is used for validating the strength of the password before reset.
Organization Specific Custom Banned Password List
While the records in the global banned password list are applied for verification for every tenant using Azure AD, some organizations might want to improve their security further by adding terms that are commonly used among their employees and other stakeholders. These could be based on their brand names, product names, locations, abbreviations, or company-specific jargon that could be guessed by attackers. This flexibility of adding additional terms to the list of banned passwords is offered on the Azure Portal.
Advanced Password Attack Protection
Organizations have several accounts and attackers are generally aware of the fact that attacking a single account increases the risk of detection. Consequently, the try to use only the weakest passwords for multiple enterprise accounts to avoid the detection thresholds. Azure AD Password Protection service uses real-world security telemetry data in combination with validation algorithms to protect enterprise users against brute force attacks.
Hybrid and On-Premises Applications
While Azure AD protects cloud-based applications, its benefits are extended to hybrid deployments and on-premises Windows Server Active Directory as well. With this capability, password resets and changes in the Active Directory will have to comply with the same policies that are applicable to cloud users. This is realized with the installation of the on-premises agent
How Does Azure AD Password Protection Work?
Azure AD Password protection uses a series of steps to ensure that new passwords comply with the basic requirements of strength and complexity. Here’s a summary of the architecture involved in the functioning of the service.
- Every time there is an attempt to change or reset a password, it is compared with the list of banned passwords. In some cases, certain passwords will be accepted even if they contain banned base terms if they are evaluated to be strong enough by the banned password algorithm.
- In the case of on-premises deployments, a domain controller agent communicates with Azure AD through a proxy service to download and update the password policy.
- The most recently available policy is used to validate password resets and changes.
It must be noted that Azure AD Password Protection does not override the existing AD password policy settings. Both must be simultaneously satisfied by new passwords for on-premises deployments.
How Azure AD Password Protection is Deployed and Enabled?
Azure AD Password Protection is enabled by default for cloud users. However, it has to be installed and configured for the on-premises Active Directory Domain Services (AD DS) environment. Here’s how you can enable on-premises Azure AD Password Protection.
- Log in to the Azure portal and navigate to Password Protection in Azure Active Directory.
- Toggle the option for Enable password protection on Windows Server Active Directory to Yes.
There are additional settings that you can change here such as enabling the option for enforcing custom list or updating the custom banned password list. Set the mode to Audit to evaluate the effectiveness of a newly created policy before enabling it.
Apps4Rent Can Help with Azure AD Password Protection
While Azure AD password protection with a global banned password list is free for cloud-only users, Azure AD password protection with custom banned password list is available only with Azure AD Premium P1 or P2. Similarly, users synchronized from on-premises Windows Server Active Directory also need to upgrade to premium plans for Azure AD Password Protection. As a Tier 1 Microsoft CSP, Apps4Rent can help you procure Azure AD licenses and implement cutting edge solutions to protect your accounts with Azure AD Password Protection. Our experts provide 24/7 technical assistance via phone, chat, and email. Contact us today for Azure services and solutions licenses.