How Azure AD Password Protection works
Azure AD Password Protection comes included in P1/P2 Azure AD plans. The name indicates that users are protected from using bad passwords, but that’s not the case. If an organization is serious about securing its Active Directory environment, whether on-prem or in the cloud, Azure AD built-in “protections” are not enough.
Azure AD Password Protection includes two lists to check user passwords against. Both are lacking, for different reasons.
The Global Banned Password List
Microsoft’s password scoring method: ”5 wrongs make a right”
“Even if a user’s password contains a banned password, the password may still be accepted if the overall password is strong enough otherwise.”
Microsoft does not block the use of passwords found on its Global Banned Password List or a configured Custom Banned Password List. Instead, the use of a banned word is only one part of Microsoft’s formula for whether or not a new password will be accepted.
To pass Microsoft’s password filter, a user’s password must score 5 points. The use of a banned word is worth one point but that alone does not disqualify a password.
Step 1: Normalization
First, the password entry is converted to all-lowercase. Microsoft states that common leetspeak character substitutions are also reversed; however, some common substitutions like €→e and 8→b are ignored.
With Character Substitution enabled, Specops Password Policy blocks common leetspeak characters including the following which Microsoft ignores.
4 = a; € = e; 6 = g; 7 = t; 8 = b; 9 = g; § = s
Step 2: Fuzzy match check
The normalized entry is checked against the banned lists for exact matches +/- 1 character difference.
Step 3: Substring match check
The normalized entry is also checked against the user’s first name, last name and tenant name; however, partial matches like Jeff for Jeffrey are ignored.
Specops Password Policy can block the full or partial use of a user’s first or last name.
Step 4: Final scoring
If the normalized entry makes it past the previous checks, Microsoft gives it a score. One point is given for: each exact match to a word on the global banned list; each exact match to a word on the custom banned list; each remaining unique character.
The entry must pass all of the above checks and reach a score of 5 to be accepted.
Micr0soft1! [microsoft] +  + [!] = 3 → Rejected
Micr0soft124! [microsoft] +  +  +  + [!] = 5 → Accepted
Meaning, Microsoft will accept passwords containing dictionary words and known leaked passwords.
The “Global Banned Password List” is not a list of leaked passwords and does not fulfill compliance recommendations for a password deny list.
Unlike Specops Password Policy’s Breached Password Protection, the Global Banned Password List does not include third-party data like that of Have I Been Pwned (HIBP) or other known breached password lists. Microsoft instead relies solely on its own analysis of what passwords are being used in various Azure AD environments. Microsoft does not disclose any of the contents of its list.
Regulatory recommendations like that of NIST or NCSC include using a list of known breached passwords. Specops Breached Password Protection fulfills this recommendation.
Microsoft does not state the number of passwords on the list. They do mention it is small compared to other third-party lists but that with fuzzy matching it can block millions of password variations of the words on their smaller banned list.
Specops Breached Password Protection Complete is a larger banned password list, currently at over 4 billion unique compromised passwords.
The Custom Banned Password List
This is Microsoft’s competitive offering to Specops Password Policy’s custom dictionary lists.
The Custom Banned Password List has a limit of 1000 words, and each entry must be at least 4 characters long.
Three letter combinations are common for many companies. This 4-character limitation means you can’t block:
- Short company names or acronyms (like IBM, DSW, CBS, FOX, CNN, UPS, CVS, ATT, 3M)
- Shorter stock symbols (like GE, BBD, GM, BMY)
- Airport codes (like JFK, LHR, LAX, CDG, DXB, ARN, YYZ, FRA)
- Internal abbreviations (like product short names: SPP, BPP, SSD)
Specops Password Policy dictionary lists have no limit and allow entries of any length.
Microsoft doesn’t always block the use of words from the Custom Banned Password List. Microsoft’s “5 Wrongs Make a Right” approach to password scoring means that a word on your custom list can be allowed as part of a longer password.
Weak passwords accepted by Azure AD
[specops] +  +  +  + [!] = 5 → Accepted
[password] +  +  +  + [!] = 5 → Accepted
[password] + [password] + [password] + [password] +  = 5 → Accepted
Specops Password Policy can block the use of any word on custom dictionary lists in a longer password.
The infamous password breaches, Collections leaks #1-5, contain over a billion compromised passwords. Microsoft ignores them along with other third-party and real attack data in its Global Banned Password List, leaving users vulnerable.
Below are just a few examples of the most common complex passwords found in Collection #2 that pass Microsoft’s Password Protection filter.
Leaked passwords accepted by Azure AD
The Specops Password Policy password deny list includes the above known breached passwords and over 4 billion more compromised passwords.
More Than Security Gaps, User Experience is Lacking
Azure AD Password Protection is likely to increase IT service desk calls
“Azure AD Password Protection has no control over the specific error message displayed by the client machine when a weak password is rejected.”
Azure AD is likely to increase calls to the IT service desk for two main reasons.
#1 – Lack of custom password rejection messaging
As shown in the above quote from Microsoft’s documentation, Azure AD does not permit admins to customize the standard Windows error messages users see upon password rejection.
“Unable to update the password. The value provided does not meet the length, complexity, or history requirements of the domain.”
The above message is the only message users will see no matter the reason their password was rejected when changing or resetting their password on their machines.
This vague messaging is not likely to make it clear to the user what they need to change about their password in order to for it to be accepted.
With Specops Password Policy, users receive dynamic feedback at password change as they type. Specops also enables admins to customize the message that users receive, including displaying the found dictionary word.
#2 – The inherent complexity of Azure AD’s Password Protection scoring
The password scoring used in the Azure AD Password Protection is complicated, and IT admin logs will tell you a password was rejected because it was found on the global or custom banned list but not tell you which.
This lack of transparency on rules for what is required means that the IT service desk will struggle to successfully identify issues users are having with setting passwords.
With Specops Password Policy, admin logs identify on which password list a rejected password entry was found.
What we recommend
You don’t need to abandon Azure AD or O365 to implement stronger password policies or to block users from using leaked passwords.
You can instead set up Specops Password Policy and Breached Password Protection to enforce these policies in your on-prem environment and utilize a federation solution or Azure AD password write-back to enforce those policies for your users across environments.
Find out how many of your Azure AD users’ passwords are
Specops Password Auditor is a free read-only
tool that scans and checks passwords of Active
Directory user accounts against our list of
Many of our customers who were relying only
on Azure AD Password Protection have told us
they were shocked to find how many compromised passwords were in use after running a Password Auditor scan.
It takes a single compromised password to create risk and potential compromise. Download your free copy of Specops Password Auditor here.
Get a demo of Specops Password Policy
Specops Password Policy helps increase password security in your on-prem Microsoft Active Directory or hybrid
Azure AD environment. The solution can target any GPO level, group, user, or computer with password complexity,
dictionaries and passphrase settings. With Specops Breached Password Protection, IT teams can block over 4 billion
unique compromised passwords. These passwords include ones used in real attacks today or are on known
breached password lists, making it easy to comply with industry regulations such as those from NIST or NCSC.
Interested in seeing how Specops Password Policy and Breached Password Protection could work in your
environment? Click here to set up a demo or trial today.