iCompaas Support

Description:

In Microsoft Entra ID (formerly Azure Active Directory), the Custom Banned Password List feature allows administrators to define specific passwords that are not allowed to be used by users when setting or changing their passwords. By enabling this feature and setting it to 'Enforce', you can ensure that users cannot use weak or commonly used passwords, further strengthening the security of your organization's accounts.

When 'Enforce' is set for the Custom Banned Password List, users who attempt to use a banned password will be denied, ensuring that passwords comply with your organization's security policies.

Rationale:

By enforcing a custom banned password list:

• Enhance security: Prevents the use of easily guessable or weak passwords, such as "password123" or "admin123", that are commonly targeted in attacks.
  

• Comply with organizational or regulatory policies: Many security frameworks and compliance standards require organizations to define strong password policies, including banned passwords.
  

• Prevent unauthorized access: Reducing the use of commonly known or compromised passwords lowers the likelihood of successful brute-force or dictionary attacks.
  

Impact:

Setting the Custom Banned Password List to 'Enforce':

• Increases security by preventing weak or easily guessable passwords from being used by your organization's users.
  

• Requires periodic updates to the banned password list to ensure that it stays relevant with the evolving password attack vectors (e.g., inclusion of newly discovered breached passwords).
  

• May affect user experience, as users may not be able to choose commonly used passwords that they are familiar with. However, this trade-off is essential for improving security.
  

Default Value:

By default, Microsoft Entra ID does not enforce a custom banned password list. You must manually configure the banned password list and set it to 'Enforce' to block those passwords from being used.

Pre-requisites:

• Azure subscription with Microsoft Entra ID (Azure AD) configured.
  

• Global Administrator or Security Administrator role permissions to configure password policies.
  

• List of banned passwords that will be enforced in your environment (can include known weak passwords, organizational-specific terms, etc.).
  

Audit:

1. Sign in to Azure portal as a Global Administrator or Security Administrator.
   

2. Navigate to Microsoft Entra ID > Security > Authentication methods > Password protection.
   

3. Ensure that the 'Custom Banned Password List' is configured and set to 'Enforce'.
   

Implementation Steps (Manual):

1. Sign in to Azure portal:
   

   • Use an account with Global Administrator or Security Administrator permissions.
     

2. Navigate to Microsoft Entra ID (Azure AD):
   

   • In the Azure portal, go to Azure Active Directory.
     

3. Go to Password Protection Settings:
   

   • Under Security, select Authentication methods.
     

   • In the Authentication methods pane, click on Password protection.
     

4. Configure Custom Banned Password List:
   

   • In the Password protection pane, locate the 'Custom Banned Password List' section.
     

   • Add a list of banned passwords that your organization wants to block. These can include:
     

     • Commonly used passwords (e.g., "123456", "password123").
       

     • Organization-specific terms or phrases that may compromise security.
       

     • Known breached passwords from password dumps (e.g., "qwerty123", "welcome123").
       

5. Set the Enforcement to 'Enforce':
   

   • In the 'Custom Banned Password List' section, set the option to 'Enforce'.
     

   • This ensures that the list of banned passwords is strictly applied, and any user who attempts to use a banned password will be blocked from setting it.
     

6. Save the Settings:
   

   • After configuring the list and setting it to 'Enforce', click Save to apply the changes.
     

7. Verify the Configuration:
   

   • Test the configuration by attempting to set a password that is included in the custom banned password list. The system should deny the password change and prompt for a new one.
     

8. Communicate to Users:
   

   • Inform users about the new password policy, especially if the banned password list includes common terms that users may have previously used.
     

   • Encourage users to select strong, unique passwords that comply with the new policy.
     

9. Monitor and Review:
   

   • Use Azure AD logs to monitor failed password change attempts due to the use of banned passwords.
     

   • Set up Azure Monitor alerts to notify administrators when there are repeated attempts to use banned passwords.
     

Backout Plan (Manual):

1. Sign in to Azure portal:
   

   • Use an account with Global Administrator or Security Administrator permissions.
     

2. Navigate to Microsoft Entra ID (Azure AD):
   

   • Go to Azure Active Directory > Security > Authentication methods > Password protection.
     

3. Remove or Modify the Custom Banned Password List:
   

   • In the Password protection pane, locate the 'Custom Banned Password List'.
     

   • Remove the existing list or modify the banned passwords as needed. You can also set the enforcement option back to 'Do not enforce'.
     

4. Save the Configuration:
   

   • Click Save to apply the changes and revert the banned password list configuration.
     

5. Test the Reverted Configuration:
   

   • Test by attempting to set a password that was previously banned to ensure that the system no longer blocks the password change.
     

6. Monitor the Reversion:
   

   • Continue monitoring password change attempts to ensure that the reverted configuration does not allow the use of previously banned passwords.
     

References:

• Azure AD - Password Protection Overview
  

• Azure AD - Configure Password Protection
  

• Azure AD - Self-Service Password Reset (SSPR) Lockout