1.7 Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Microsoft Azure creates a default bad password policy that is already applied to Azure administrative and normal user accounts. This is not applied to user accounts that are synced from an on-premise Active Directory unless Azure AD Connect is used and you enable EnforceCloudPasswordPolicyForPasswordSyncedUsers. Please see the list in default values on the specifics of this policy.

Rationale:

Enabling this gives your organization further customization on what secure passwords are allowed. Setting a bad password list enables your organization to fine-tune its password policy further, depending on your needs. Removing easy-to-guess passwords increases the security of access to your Azure resources.

Impact:

Increasing needed password complexity might increase overhead on administration of user accounts.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

From Azure Portal

From Azure Home select the Portal Menu

Select Azure Active Directory in the menu that opens, and then Security.

Under Management select Authentication, then Password Protection.

Set the Enforce custom list to Yes.

Double click the custom password list to add a string.

Please note that at this point of time, there is no Azure CLI or other API commands available to programmatically conduct security configuration for this recommendation.

Default Value:

By default the custom bad password list is not 'Enabled'. Organizational-specific terms can be added to the custom banned password list, such as the following examples:

Brand names

Product names

Locations, such as company headquarters

Company-specific internal terms

Abbreviations that have specific company meaning

Months and weekdays with your company's local languages

The default Azure bad password policy is already applied to your resources which applies the following basic requirements:

Characters allowed:

Uppercase characters (A - Z)

Lowercase characters (a - z)

Numbers (0 - 9)

Symbols:

@ # $ % ^ & * - _ ! + = [ ] { } | \ : ' , . ? / ' ~ ' ( ) ; < >

blank space

Characters not allowed:

Unicode characters

Password length Passwords require

A minimum of eight characters

A maximum of 256 characters

Password complexity: Passwords require three out of four of the following categories:

Uppercase characters

Lowercase characters

Numbers

Symbols Note: Password complexity check isn't required for Education tenants.

Password not recently used:

When a user changes or resets their password, the new password can't be the same as the current or recently used passwords.

Password isn't banned by Azure AD Password Protection.

The password can't be on the global list of banned passwords for Azure AD Password Protection, or on the customizable list of banned passwords specific to your organization.

See Also

https://workbench.cisecurity.org/files/4052