Troubleshooting tips for Azure AD banned password list
Not all implementations of Azure AD password protection go smoothly. This blog explores some quirks with the banned password lists, and offers remediation tips related to them.
Understanding the Scoring System
Many teams get tripped up when establishing their password policies in Azure AD and for good reason. First, there are two banned password lists. One is the Global Banned Password List, which is not a list of leaked passwords and does not fulfill compliance recommendations for a password deny list. Instead, it relies solely on Microsoft’s own analysis of what is being used in various Azure AD environments. The other is the Custom Banned Password list, which is Microsoft’s competitive offering to Specops Password Policy’s custom dictionary lists.
While the banned password list contains terms, you might believe to be banned, there’s some grey area. AD uses a scoring system for each created password. Each password must score 5 or higher to gain acceptance. This scoring is tallied using the following criteria:
- How many unique characters a password candidate contains.
- Whether or not they contain (wholly or partially) terms from either custom or global banned passwords lists.
- Whether a password is viable even after normalization (via character substitution) is complete.
- The “edit distance” of added or deleted characters, which assesses how close those changes are in relation to the original (or banned) password. This prevents users from simply dropping a letter or tacking one onto a banned term, in hopes of passing.
Users might be surprised when their passwords are rejected. For example, a substring match might flag a problematic term within a password (like someone’s name), and reject it, even though the complete password isn’t banned. Also, users can’t simply alter a banned password by adding or dropping a single character. Consequently, if abcdef is banned, AD will reject variations like abcdefg, or 1abcdef. Something like abc1def would be acceptable, however.
The password loophole
Interestingly, AD awards passwords a point for each banned word detected, thus pushing that password’s score closer to 5.
That seems counterintuitive. After all, why should AD reward users for including a banned term? The idea is that wasted (banned) character strings within a potential password still contribute to overall password complexity.
Banned password lists aren’t updating
When it comes to Azure AD banned passwords, some different rules are at play depending on your deployment. When you first create the custom list, or make changes to the list already in play, these changes may not push automatically. For example, a user could create a password using a banned word, even though that word was just added. Changes to global lists are pushed automatically in Azure AD, but it can take a few minutes.
Using a third-party solution
Azure AD and many existing external tools don’t provide great user feedback. For example, password rejections generate a generic error message for users. Azure AD admins cannot customize these alerts.
Third-party tools like Specops Password Policy give admins greater control over user feedback.
- The flagged word that’s banned in a given dictionary, so users don’t include it moving forward
- The rules users have satisfied
- The rules users must still follow to make their password compliant
With Specops Password Policy and Breached Password Protection used in concert, companies can block over 3 billion compromised passwords in Active Directory. These compromised passwords include ones used in real attacks today or are on known breached password lists, making it easy to comply with industry regulations such as NIST or NCSC. Our research team’s attack monitoring data collection systems update the service daily and ensure networks are protected from real world password attacks happening right now. The Breached Password Protection service blocks these banned passwords in Active Directory with customizable end-user messaging that helps reduce calls to the service desk.
Specops Password Policy can target any GPO level, group, computer, or user with complexity and passphrase settings. Custom dictionaries and breached lists are automatically updated and applied. Finally, lists may be stored locally or in the cloud. Specops is accommodating to your environmental setup, and helps alleviate many common problems that Azure AD users face.
(Last updated on July 26, 2022)