5.2.3.2 Ensure custom banned passwords lists are used

Information

With Entra Password Protection, default global banned password lists are automatically applied to all users in an Entra ID tenant. To support business and security needs, custom banned password lists can be defined. When users change or reset their passwords, these banned password lists are checked to enforce the use of strong passwords.

A custom banned password list should include some of the following examples:

Brand names

Product names

Locations, such as company headquarters

Company-specific internal terms

Abbreviations that have specific company meaning

Rationale:

Creating a new password can be difficult regardless of one's technical background. It is common to look around one's environment for suggestions when building a password, however, this may include picking words specific to the organization as inspiration for a password. An adversary may employ what is called a 'mangler' to create permutations of these specific words in an attempt to crack passwords or hashes making it easier to reach their goal.

Impact:

If a custom banned password list includes too many common dictionary words, or short words that are part of compound words, then perfectly secure passwords may be blocked. The organization should consider a balance between security and usability when creating a list.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Create a custom banned password list:

Navigate to Microsoft Entra admin center https://entra.microsoft.com/

Click to expand Protection > Authentication methods

Select Password protection

Set Enforce custom list to Yes

In Custom banned password list create a list using suggestions outlined in this document.

Click Save

NOTE: Below is a list of examples that can be used as a starting place. The references section contains more suggestions.

Brand names

Product names

Locations, such as company headquarters

Company-specific internal terms

Abbreviations that have specific company meaning

See Also

https://workbench.cisecurity.org/benchmarks/15279

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)

Plugin: microsoft_azure

Control ID: 313d8c049a4a9bfcbd4d42f8a9002f4170b95e646b06d21735627eb2a6ac2ee7