Azure AD Password Protection

Are you familiar with Azure Active Directory? Azure AD is a fully managed multi-tenant service from Microsoft that offers identity and access capabilities for applications. Though Azure has become synonymous with the cloud, Azure AD works both in the cloud AND in your on-premise environment.

For years, administrators and security professionals have been asking for a reliable way to ban specific passwords and Microsoft has delivered. Microsoft has taken the concept of password protection to the next level with big data and machine learning, allowing IT administrators to add additional restrictions and protections around acceptable passwords.  Simple passwords with minor character substitutions are often used to accommodate password complexity requirements (i.e. “P@ssw0rd!”), but with the introduction of the new password protection feature, this gaping security hole is easily filled.

Global Banned Password List

The global banned password list is the key feature that sets the Azure AD Password Protection solution apart. Microsoft’s team of white hats is leveraging billions of data points across hundreds of million accounts to feed identity and machine learning engines the most commonly compromised passwords. The list is consistently updated, yet for obvious reasons, the exact means of creation is not made public.

Custom Banned Password List

The custom banned password list is one that you as the administrator have control over.  We encourage you to add common passwords reflective of your organization, such as organizational names, vertical-specific terms, and other passwords that may be easily guessed based on your organization’s public information. As we better understand the way new passwords are evaluated, we see that millions of variations must be considered.

Microsoft uses a 4-step process to identify whether a password is secure enough to be used:

Step 1 – Normalization

First, all characters are changed to the same case.  Second, common character substitution is performed.

For example:

Original letter Substituted letter
‘0’ ‘o’
‘1’ ‘l’
‘$’ ‘s’
‘@’ ‘a’

 

Step 2 – Fuzzy Matching

A fuzzy matching algorithm is used to determine whether the normalized password is contained in either the global or custom banned list. This identifies both direct matches and matches within one modification. Example: assume the password “abcdef” is banned and a user tries to change their password to one of the following: ‘abcdeg’   (last character changed from f to g) ‘abcdefg’   (g appended to end) ‘abcde’   (trailing f was deleted from end).

None of the password variations listed above directly match the banned password “abcdef,” however, since both examples are within an edit distance of 1 from the password ‘abcdef,’ they are all considered a match to ‘abcdef.’

Step 3 – Substring Matching

The normalized password is checked to make sure the users’ first and last name are not present. If the password is cloud-based it is also checked to make sure that the tenant name isn’t present.

Example: User John Doe wants to reset his password to “J0hn123fb.”  After normalization, this password would become “john123fb.”  The substring matching finds that the password contains the user’s first name “John.”  Even though “J0hn123fb” was not specifically on either banned password list, since the substring matching found “John” in the password, it will be rejected.

Step 4 – Score Calculation

The final step is to store the password and make a decision on whether to accept or reject it.  The scoring is ranked utilizing the following point system:

  1. Each banned password that is found in a user’s password is given one point.
  2. Each remaining unique character is given one point.
  3. A password must receive at least 5 points to be accepted.

Examples

In the next two examples, let’s assume that Contoso is using Azure AD Password Protection and has “contoso” on their custom list. Let’s also assume that “blank” is on the global list. (i.e.) a user changes their password to “C0ntos0Blank12”

After normalization, this password becomes “contosoblank12”. The matching process finds that this password contains two banned passwords: contoso and blank. This password is then given a score:

[contoso] + [blank] + [1] + [2] = 4 points Since this password is under 5 points, it will be rejected.

Example: a user changes their password to “ContoS0Bl@nkf9!”. After normalization, this password becomes “contosoblankf9!”. The matching process finds that this password contains two banned passwords: contoso and blank. This password is then given a score:

[contoso] + [blank] + [f] + [9] + [!] = 5 points Since this password is at least 5 points, it is accepted.

The final component rests on the licensing.  The following table lists Microsoft’s licensing requirements for this solution:

Azure AD password protection with global banned password list Azure AD password protection with custom banned password list
Cloud-only users Azure AD Free Azure AD Premium P1 or P2
Users synchronized from on-premises Windows Server Active Directory Azure AD Premium P1 or P2 Azure AD Premium P1 or P2

If you are interested in learning more about Azure AD, please reach out to speak directly with our Azure AD experts: info@fit-prod-web01.azurewebsites.net.

Additional Resource:   Azure Active Directory

The following link provides more details on the solution:  https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad

 

Leave a Reply

You must be logged in to post a comment.

This site uses Akismet to reduce spam. Learn how your comment data is processed.