Azure AD Password Protection competitor comparison Copy
How Azure AD Password Protection works
Azure AD Password Protection comes included in P1/P2 Azure AD plans. The name indicates that users are protected from using bad passwords, but that’s not the case. If an organization is serious about securing its Active Directory environment, whether on-prem or in the cloud, Azure AD built-in “protections” are not enough.
Azure AD Password Protection includes two lists to check user passwords against. Both are lacking, for different reasons.
The Global Banned Password List
Microsoft’s password scoring method: ”5 wrongs make a right”rnrn“Even if a user’s password contains a banned password, the password may still be accepted if the overall password is strong enough otherwise.”rnrnMicrosoft does not block the use of passwords found on its Global Banned Password List or a configured Custom Banned Password List. Instead, the use of a banned word is only one part of Microsoft’s formula for whether or not a new password will be accepted.rnrnTo pass Microsoft’s password filter, a user’s password must score 5 points. The use of a banned word is worth one point but that alone does not disqualify a password.rnrnStep 1: NormalizationrnrnFirst, the password entry is converted to all-lowercase. Microsoft states that common leetspeak character substitutions are also reversed; however, some common substitutions like €→e and 8→b are ignored.rnrnWith Character Substitution enabled, Specops Password Policy blocks common leetspeak characters including the following which Microsoft ignores. rnrn4 = a; € = e; 6 = g; 7 = t; 8 = b; 9 = g; § = srnrnStep 2: Fuzzy match check rnrnThe normalized entry is checked against the banned lists for exact matches +/- 1 character difference.rnrnStep 3: Substring match check rnrnThe normalized entry is also checked against the user’s first name, last name and tenant name; however, partial matches like Jeff for Jeffrey are ignored.rnrnSpecops Password Policy can block the full or partial use of a user’s first or last name. rnrnStep 4: Final scoring rnrnIf the normalized entry makes it past the previous checks, Microsoft gives it a score. One point is given for: each exact match to a word on the global banned list; each exact match to a word on the custom banned list; each remaining unique character.rnrnThe entry must pass all of the above checks and reach a score of 5 to be accepted.rnrnExample scoring:rnMicr0soft1! [microsoft] +  + [!] = 3 → RejectedrnMicr0soft124! [microsoft] +  +  +  + [!] = 5 → AcceptedrnrnMeaning, Microsoft will accept passwords containing dictionary words and known leaked passwords.
The “Global Banned Password List” is not a list of leaked passwords and does not fulfill compliance recommendations for a blacklist.rnrnUnlike Specops Password Policy’s Blacklist, the Global Banned Password List does not include third-party data like that of Have I Been Pwned (HIBP) or other known breached password lists. Microsoft instead relies solely on its own analysis of what passwords are being used in various Azure AD environments. Microsoft does not disclose any of the contents of its list.rnrnRegulatory recommendations like that of NIST or NCSC include using a list of known breached passwords. The Specops Password Policy Blacklist fulfills this recommendation. rnrnMicrosoft does not state the number of passwords on the list. They do mention it is small compared to other third-party lists but that with fuzzy matching it can block millions of password variations of the words on their smaller banned list.rnrnSpecops Password Policy’s Blacklist Complete is a larger banned password list, currently at over 2 billion passwords.
More than just security issues, user experience is lacking
The inherent complexity of Azure AD’s Password Protection scoringrnrnThe password scoring used in the Azure AD Password Protection is complicated, and IT admin logs will tell you a password was rejected because it was found on the global or custom banned list but not tell you which.rnrnThis lack of transparency on rules for what is required means that the IT service desk will struggle to successfully identify issues users are having with setting passwords.rnrnWith Specops Password Policy, IT admin logs identify on which password list a rejected password entry was found.
Lack of custom password rejection messagingrnrnAzure AD Password Protection has no control over the specific error message displayed by the client machine when a weak password is rejected. Azure AD does not permit admins to customize the standard Windows error messages users see upon password rejection.rnrnThis is the only message users will see no matter the reason their password was rejected when changing or resetting their password on their machines.rnrnThis vague messaging is not likely to make it clear to the user what they need to change about their password in order to for it to be accepted.
With Specops Password Policy, you can customize the messages users see, with options to display the found dictionary word or the rules the user has passed and still needs to pass.
What we recommend
You don’t need to abandon Azure AD or O365 to implement stronger password policies or to block users from using leaked passwords.rnrnYou can instead set up Specops Password Policy and Blacklist to enforce these policies in your on-prem environment + utilize a federation solution or Azure AD password write-back to enforce those policies for your users across environments.