Azure AD Gets Two New Password Protection Tools in Preview
Organizations using Microsoft's Azure Active Directory or Windows Server Active Directory service can now test drive two new two password security capabilities.
The two capabilities, announced this week, are Azure AD Password Protection and Smart Lockout. Azure AD Password Protection is designed to ward off the use of commonly guessed passwords, which requires having Azure AD Premium 1 licensing. Smart Lockout is an attacker-blocking capability that is included in "all versions of Azure AD (including those versions in Office 365)," according to Microsoft.
The Azure AD Password Protection preview is aimed at thwarting "password spray" types of attacks in which attackers try prosaic passwords across an organization. The idea is to find end users who have chosen guessable passwords as a way of gaining entry. A guessable password might be "password" or "12345678" and the like.
Microsoft's Azure AD Password Protection preview stops end users from creating guessable passwords via a list of more than 500 commonly used passwords, plus over 1 million single-character variants. For instance, it would stop a user from using "p@ssword" as their password.
The Azure AD Password Protection service is turned on by default for password set and reset actions for Azure AD Premium users. It can be turned on for Windows Server AD users from the Azure AD portal if they have the same licensing. Organizations also can add a customized list of their own banned password strings, if wanted. The ability to add a banned password list requires having an Azure AD Basic license, according to Microsoft's documentation.
The other feature at preview, Smart Lockout, is turned on by default for Azure AD users and is used to separate valid users from attackers trying to guess passwords. Smart Lockout uses "intelligence" to make the distinction, but organizations can also customize it. IT pros can also set thresholds for when Smart Lockout will block users based on the number of failed password tries. They can also set a duration for the lockout periods.
In March, Microsoft laid out its best practice recommendations for passwords using Azure AD. Among other matters, it stressed that multifactor authentication should be required for IT personnel. It also offered seemingly against-the-grain advice with regard to end user passwords. For instance, Microsoft advised against requiring end users to regularly change their passwords. The argument is such a requirement just causes them to select predictable password names or it causes them to use "seasonal patterns" in their passwords.
Microsoft appears to have some backing on this position from the National Institute of Standards and Technology's latest report on the topic, as cited in Microsoft's announcement. It states (Section 10.2.1 "Memorized Secrets"):
- Do not impose other composition rules (e.g. mixtures of different character types) on memorized secrets.
- Do not require that memorized secrets be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise. (See Section 5.1.1 for additional information)
The report doesn't provide much explanation about such advice, but the general idea seems to be that organizations should avoid any practices that cause end users create guessable passwords.
IT pros with questions about Microsoft's Azure AD Password Protection and Smart Lockout previews will get an opportunity to ask them on Thursday, June 28 at 9:00 a.m. to 10:00 a.m. PST. The Azure AD team plans to field questions at that time. Details are described here.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.