Azure AD password policy-ban common passwords (Enforce custom ban passwords)

Table of Contents

  1. Introduction
  2. Mitigation
  3. Prerequisites & Limitations
  4. Implementation
  5. List of few common passwords
  6. Validation
  7. Conclusion
  8. End of Document

Azure AD password policy-enforce custom ban passwords

1. Introduction

Purpose of this document is to explain how to mitigate one of the loop holes where attackers/ hackers can try to penetrate in your environment due to weak password policy.

Most of the user keeps password like (Welcome@123, Passwod1, etc) for their convenience where attackers/ hackers can easily penetrate in your environment with guessing passwords (like company name, First name, Last name, country name, commonly used password etc).

Since azure support SSO (Single singe on), once attacker able to penetrate with guessing password, he can easily access other applications due to SSO.

Ex: Once hacker able to guess your password, he can login to any application which is configured as SSO (Ex: Azure, Web email, SharePoint, O365 or any other applications which is SSO enabled.)

2. Mitigation

To restrict user to put very common password, you should apply Azure Password Policy “Enforce Custom banned password list” in Azure AD, which will protect your environment for attackers/ hackers.

This mitigation also increase your score in Audit.

3. Prerequisites & Limitations

  • You can apply Enforce custom banned password list only if you have Azure AD P1 or P2 License.
  • Enforce custom banned password list can contain up to 1000 words.
  • Minimum password length is 4 characters.

4. Implementation

  1. Azure portal and browse Azure Active Directory  => Security => Authentication methods => Password protection
  2. Set Enforce custom list = Yes.
  3. Add strings in Custom banned password list, and click Save.

5. List of few common passwords

111111
123456
123123
222222
Admin
password
Password1
Welcome@123
qwerty
qazwsx

6. Validation

Login to https://portal.azure.com => Click on logged in users => View account => Change password => Provide new password

7. Conclusion

If user put any of the password which matches within banned password (common passwords), User will get below message. Now user needs to put a strong complex password which will protect your environment with hackers.

8. End of Document

Facebook Comments

5 thoughts to “Azure AD password policy-ban common passwords (Enforce custom ban passwords)”

  1. alankar srivastava says:

    It’s really useful article who want to secure the infra environment.

  2. alankar srivastava says:

    Ref. title and Page title is different. Please correct.

    Tips and Tricks: Azure AD password policy-ban common passwords > Read Document redirecting to

    Azure AD password policy-enforce custom ban passwords

      1. Suggestion accepted Post modified ✅ Keep visiting and thanks again for your suggestion Alankar.

Leave a Reply to alankar srivastava Cancel reply

Your email address will not be published. Required fields are marked *