P@ssw0rd is not a good Password

by | Mar 14, 2022 | Security

Let’s face it, we use personal identification numbers (PINs), passwords, and passphrases for everyday life: grabbing some cash at the ATM, online shopping, and of course logging into the domain at work. As frustrating as it can be to maintain all of these passwords, we understand that they exist so that we can protect ourselves personally and our organization at work. As IT professionals – you and I both know that end-users are selecting weak passwords.


How can we ensure that our end-users select strong passwords?

The Basics

We try to educate users that they should not use the same password in multiple places and tell them not to use a dictionary word. IT Administrators enforce length and complexity, yet P@ssw0rd would pass those checks and is easily compromised by a password spray attack. Password spraying is an attack where a malicious actor attempts to access a large number of accounts (usernames) with commonly used passwords.

There must be a way to ensure that the user selects a strong password.


Azure Active Directory Password Protection is available for both cloud and hybrid environments and prevents users from selecting weak passwords.

Azure AD Password Protection detects and blocks weak passwords by utilizing Microsoft’s global banned password list. The list is based on an analysis of the billions of passwords that are used to log in to Microsoft services and the resulting telemetry data of common/weak passwords. Additionally, the Administrator can add customized words to the banned list for your organization. These custom lists often contain common items such as:

  • Company name, Company Acronym, Branding or Product names
  • Company addresses, locations
  • Local sports teams or local jargon

The custom list is combined with the global banned list and when a user selects a password, it is validated against these lists enforcing a stronger password selection.

Azure AD Password Protection is a supplement to your existing on-premises Active Directory Domain Services (AD DS) password policies, not a replacement. It is important to note that despite the fact that Microsoft branded this with “Azure,” you can implement these features and integrate them with your on-premises environment. Aside from a bit of user education that can be communicated as part of security awareness, there is minimal impact to the user. They won’t feel the enforcement of the new policy until their password change cycle. Of course, Peters & Associates can assist with the implementation. At a high level, the proxy service and agents are installed within the on-premises environment with an agent on each Domain Controller (DC).

License requirements

Azure AD Password Protection with custom banned password list for cloud and on-premises synchronization from AD DS requires Azure AD Premium P1 or P2. Cloud-only environments can use the Azure AD Password Protection with a global banned password list with no customization for free.

If your organization already owns Azure AD Premium P1 or P2 to support your MFA implementation or as part of your M365 bundle, we encourage you to maximize your licensing investment by implementing Azure AD Password Protection. Please contact us at info@peters.com if you’d like assistance with the implementation of this technology or have any questions about the many identities and access management benefits of Azure AD Premium.