Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

Enabling Password Protection in EntraID [CHK-1147]

This check verifies if password protection is enabled and correctly configured in EntraID. It also checks whether custom passwords are banned in password protection.

Rationale

Blocking known insecure passwords is crucial for maintaining secure systems. Microsoft's Password Protection feature assists with this by rejecting any password on the banned list whenever a password change is attempted. This check aligns with the CIS M365 1.1.5 benchmark, which recommends enabling password protection for EntraID.

Fix

An automated fix is available through Attic.

Manual steps:

  1. Navigate to Microsoft Azure Admin Center at https://aad.portal.azure.com
  2. Click on Authentication Methods.
  3. Click on Password Protection.
  4. Set 'Enforce custom list' to Yes.
  5. Add passwords to the 'Custom banned password list'.
  6. Set 'Enable password protection on Windows Server Active Directory' to Yes.
  7. Set mode to 'Enforced'.
  8. Click on Save.

Impact

The check has two possible outcomes:

  • Okay: Password protection is enabled and correctly configured.
  • Warning: Password protection is not enabled or does not include (all) banned passwords.
  • Notice: Functionality is not (fully) available.

If the output is a warning, enabling this feature is recommended.

More Information

For more details, refer to the CIS Microsoft 365 Foundations Benchmark.