Enabling Password Protection in EntraID [CHK-1147]

Rationale

Blocking known insecure passwords is crucial for maintaining secure systems. Microsoft's Password Protection feature assists with this by rejecting any password on the banned list whenever a password change is attempted. This check aligns with the CIS M365 1.1.5 benchmark, which recommends enabling password protection for Active Directory.

Microsoft's global banned password list is primarily English-focused. Common Dutch passwords like Zomer2025!, Welkom01!, or Amsterdam2026! may not be blocked by default. Attic Security includes a baseline of common Dutch weak password terms to close this gap.

Baseline Banned Password Terms Set by Attic

When the automated fix runs, Attic adds the following terms to your custom banned password list. These are the exact terms the check verifies are present:

• Days of the week: maandag, dinsdag, woensdag, donderdag, vrijdag, zaterdag, zondag
• Seasons: lente, zomer, herfst, winter
• Months: januari, februari, maart, april, juni, juli, augustus, september, oktober, november, december
• Common terms: wachtwoord, welkom, geheim
• Star signs: stier, tweelingen, kreeft, leeuw, maagd, weegschaal, schorpioen, boogschutter, steenbok, waterman, vissen
• Major Dutch cities: amsterdam, rotterdam, denhaag, utrecht, eindhoven, groningen, tilburg, almere, breda, nijmegen, arnhem, haarlem, enschede, maastricht
• Dutch provinces: drenthe, flevoland, friesland, gelderland, limburg, noordbrabant, noordholland, overijssel, zeeland, zuidholland

Adding Your Own Banned Password Terms

You can extend the list with organization-specific terms — think of your company name, brand names, product names, street names, or the town where your office is located. Add these in Attic via the Risky passwords configuration variable. When the fix runs, Attic combines your input with the baseline and writes the merged result to the custom banned password list in Entra.

Microsoft specifications for custom banned password terms:

• Each term must be 4 to 16 characters long
• The list supports a maximum of 1000 terms
• Terms are case-insensitive (Welkom and welkom are treated the same)
• Common character substitutions are handled automatically — you do not need to add variants like W3lk0m or Welk@m; Microsoft's fuzzy matching catches these based on the base term
• Terms are also evaluated as substrings, so welkom will also block welkom2025!

Note: Terms configured via Risky passwords in Attic are merged with the baseline each time the fix runs. Any terms already present in Entra that your organization configured outside of Attic are also preserved — the fix merges rather than overwrites.

Fix

An automated fix is available through Attic. The fix enables Password Protection and adds all missing baseline terms to the banned password list. Existing banned passwords that your organization has already configured are preserved — the fix merges rather than overwrites.

Manual steps:

1. Navigate to Microsoft Azure Admin Center at https://aad.portal.azure.com
2. Click on Authentication Methods.
3. Click on Password Protection.
4. Set 'Enforce custom list' to Yes.
5. Add passwords to the 'Custom banned password list'.
6. Set 'Enable password protection on Windows Server Active Directory' to Yes.
7. Set mode to 'Enforced'.
8. Click on Save.

Impact

The check has three possible outcomes:

• Okay: Password protection is enabled and all baseline terms are present.
• Warning: Password protection is not enabled.
• Notice: Password protection is enabled but some baseline terms are missing from the banned list.
• Info: Entra ID P1 or P2 license is required but not available.

If the output is a warning, enabling this feature is strongly recommended.

More Information

For more details, refer to the CIS Microsoft 365 Foundations Benchmark.