Step-by-Step Guide: Setting Up a Banned Password List in Azure

image-16-1024x490

Recently, a customer raised a ticket asking us to implement a banned password list. In this guide, I’ll walk you through how we successfully tackled this request and configured it in Entra ID.

Enforcing strong password policies in Entra ID is crucial for improving organisational security. One effective method is implementing a custom banned password list to prevent users from selecting weak or predictable passwords. Here’s how to set this up step-by-step:

Prerequisites

Before starting, ensure you have the following:

  1. Entra ID Premium P1 or P2 licence

    • The banned password list feature is available only in Entra ID Premium editions.

  2. Administrator permissions

    • You need Global Administrator or Privileged Role Administrator rights in Entra ID to configure password policies.

Step 1: Access the Azure Entra ID portal

  1. Navigate to the Azure Portal.

  2. Sign in with your Global Administrator account

Step 2: Enable Custom Banned Passwords

  1. In the Search bar, type in Microsoft Entra Password Protection.

  2. Under the Custom banned passwords section in the Password protection settings, toggle Enforce custom list to "Yes."

Step 3: Define Your Custom Banned Password List

  1. In the same Password protection page.

  2. Add the list of passwords you wish to ban. For example:

    password123
welcome2025
admin@123
companyname
summer2025

    • Include variations of common words (e.g., "Password" -> "P@ssword", "Passw0rd").

    • Avoid commonly used terms or patterns specific to your organisation (e.g., department names or internal jargon).

    • Regularly update the list to reflect evolving security needs.

    • Each password should be on a separate line.

  3. Click Save to apply the list.

Step 4: Configure Password Protection Settings

  1. Still in the Password protection page, review the Enforce custom list option.

  2. Adjust the lockout threshold and observation window settings if necessary.

    • Lockout threshold: The number of failed password attempts before the account is locked.

    • Lockout duration in seconds: The time frame during which the account will be locked.

  3. Save your changes.

Step 5: Set Up On-Premises Agents

If you have a hybrid environment, you need to configure on-premises agents to extend the banned password policy to on-premises Active Directory.

  1. Download the Entra ID Password Protection Proxy and DC Agent:

  2. Install the Proxy Agent:

    • Run the installer on a dedicated server in your on-premises environment.

    • Follow the installation wizard, and register the agent with your Entra ID tenant.

  3. Install the DC Agent:

    • Run the installer on each Domain Controller in your environment.

    • Follow the installation wizard and restart the DC if prompted.

  4. Verify the Configuration:

    • Use the PowerShell cmdlet Register-AzureADPasswordProtectionProxy to ensure the proxy agent is registered. For detailed usage, you can refer to the official Microsoft documentation or run the cmdlet as follows:

    Register-AzureADPasswordProtectionProxy -AccountUpn 'yourglobaladmin@yourtenant.onmicrosoft.com' -AuthenticateUsingDeviceCode

    • Check the event logs on your Domain Controllers to confirm the agents are functioning correctly.

Step 6: Test the Configuration

To verify the custom banned password list:

  1. Try changing a user’s password to one of the banned passwords in the list.

  2. Ensure the system blocks the attempt and prompts the user to choose a different password.

Step 7: Communicate the Change

Inform your users about the new password policy to minimise confusion. Consider using multiple communication channels, such as:

  • Including visuals, such as screenshots or infographics, in emails or presentations to make the message more engaging.

  • Adding step-by-step guides in emails or on the intranet to help users easily understand the changes and how to comply with them.

  • Sending an email with an explanation of the changes, examples of strong passwords, and links to password management resources.

  • Hosting a brief training session or webinar to discuss the importance of strong passwords and demonstrate how the policy works.

  • Creating a simple FAQ document or internal knowledge base article to address common questions.

Include the following in your communication:

  1. Why strong passwords are essential.

  2. Examples of unacceptable passwords.

  3. Tips for creating strong, unique passwords.

Step 8: Monitor and Maintain

  1. Periodically review the banned password list to ensure it stays relevant. A quarterly or annual review is recommended to keep up with evolving security threats. For instance, monitor security blogs, threat intelligence feeds, or reports from your cybersecurity team to identify emerging trends and patterns that might inform updates to the list.

  2. Use Entra ID reports to monitor password reset activity and compliance.

  3. Update the list as needed to address new security threats or patterns.

Conclusion

By setting up a custom banned password list in Entra ID, you enhance your organisation’s defence against common password attacks. This simple yet powerful feature helps enforce robust password hygiene across your environment.

Stay proactive in managing and updating your policies to keep your organisation secure. For more Azure tips and tutorials, check out our other posts!

Unknown's avatar

Author: João Paulo Costa

Microsoft MVP, MCT, MCSA, MCITP, MCTS, MS, Azure Solutions Architect, Azure Administrator, Azure Network Engineer, Azure Fundamentals, Microsoft 365 Enterprise Administrator Expert, Microsft 365 Messaging Administrator, ITIL v3.

Leave a comment