Troubleshooting tips for Azure AD banned password list
(Last updated on September 13, 2021)
Not all implementations of Azure AD password protection go smoothly. This blog explores some quirks with the banned password lists, and offers remediation tips related to them.
Understanding the Scoring System
Many teams get tripped up when establishing their password policies in Azure AD. While the banned password list contains terms, you might believe to be banned, there’s some grey area. AD uses a scoring system for each created password. Each password must score 5 or higher to gain acceptance. This scoring is tallied using the following criteria:
- How many unique characters a password candidate contains.
- Whether or not they contain (wholly or partially) terms from either custom or global banned passwords lists.
- Whether a password is viable even after normalization (via character substitution) is complete.
- The “edit distance” of added or deleted characters, which assesses how close those changes are in relation to the original (or banned) password. This prevents users from simply dropping a letter or tacking one onto a banned term, in hopes of passing.
Users might be surprised when their passwords are rejected. For example, a substring match might flag a problematic term within a password (like someone’s name), and reject it, even though the complete password isn’t banned. Also, users can’t simply alter a banned password by adding or dropping a single character. Consequently, if abcdef is banned, AD will reject variations like abcdefg, or 1abcdef. Something like abc1def would be acceptable, however.
The password loophole
Interestingly, AD awards passwords a point for each banned word detected, thus pushing that password’s score closer to 5.
That seems counterintuitive. After all, why should AD reward users for including a banned term? The idea is that wasted (banned) character strings within a potential password still contribute to overall password complexity.
My banned password lists aren’t updating
When it comes to Azure AD banned passwords, some different rules are at play depending on your deployment. Even when you create a new custom list, or make changes to an existing list, these changes may not push automatically. For example, a user could create a password using a banned word, even though that word was just added.
While changes to global lists are pushed automatically in Azure AD, custom changes aren’t for those running hybrid services. Domain controller (DC) agents add another layer of complexity. Microsoft warns that lists and algorithms aren’t updated until the DC agent software is. DCs must be rebooted for any changes to apply.
Thankfully, understanding this process means you’ll know what to expect when working with banned password lists. Changes can take several hours to post. Those using native AD tooling might want to plan these updates, to lessen the impacts on admins and services. Periodic updates to custom lists can make changes less painful.
Using a third-party solution
Azure and many existing external tools don’t provide great user feedback. For example, password rejections generate a generic error message for users. Azure AD admins cannot customize these alerts.
Third-party tools like Specops Password Policy give admins greater control over user feedback.
- The flagged word that’s banned in a given dictionary, so users don’t include it moving forward
- The rules users have satisfied
- The rules users must still follow to make their password compliant
Specops Password Policy works well in concert with Specops Breached Password Protection. The latter arose because Microsoft’s global list doesn’t include leaked passwords. Breached Password Protection pulls third-party data into the mix. This information originates from leaked password databases, maintained by services like Have I Been Pwned. Instead of relying on Microsoft’s own analysis, you can broaden your horizons.
Specops Password Policy can target any GPO level, group, computer, or user with complexity and passphrase settings. Custom dictionaries and breached lists are automatically updated and applied. Finally, lists may be stored locally or in the cloud. Specops is accommodating to your environmental setup, and helps alleviate many common problems that Azure AD users face.