News

Password Protection and Smart Lockout Previews Now Available for Azure AD Users

• By Kurt Mackie
• 06/20/2018

Microsoft this week announced the previews of two password security capabilities for organizations using the Azure Active Directory service or Windows Server Active Directory.

One of previews is Azure AD Password Protection, designed to ward off the use of commonly guessed passwords, which requires having Azure AD Premium 1 licensing. The other preview is Smart Lockout, an attacker-blocking capability, which is included in "all versions of Azure AD (including those versions in Office 365)," Microsoft's announcement explained.

The Azure AD Password Protection preview is aimed at thwarting "password spray" types of attacks in which attackers try prosaic passwords across an organization. The idea is to find end users who have chosen guessable passwords as a way of gaining entry. A guessable password might be "password" or "12345678" and the like.

Microsoft's Azure AD Password Protection preview stops end users from creating guessable passwords via a list of more than 500 commonly used passwords, plus over 1 million single-character variants. For instance, it would stop a user from using "p@ssword" as their password.

The Azure AD Password Protection service is turned on by default for password set and reset actions for Azure AD Premium users. It can be turned on for Windows Server AD users from the Azure AD portal if they have the same licensing. Organizations also can add a customized list of their own banned password strings, if wanted. The ability to add a banned password list requires having an Azure AD Basic license, according to Microsoft's documentation.

The other feature at preview, Smart Lockout, is turned on by default for Azure AD users and is used to separate valid users from attackers trying to guess passwords. Smart Lockout uses "intelligence" to make the distinction, but organizations can also customize it. IT pros can also set thresholds for when Smart Lockout will block users based on the number of failed password tries. They can also set a duration for the lockout periods.

In March, Microsoft laid out its best practice recommendations for passwords using Azure AD. Among other matters, it stressed that multifactor authentication should be required for IT personnel. It also offered seemingly against-the-grain advice with regard to end user passwords. For instance, Microsoft advised against requiring end users to regularly change their passwords. The argument is such a requirement just causes them to select predictable password names or it causes them to use "seasonal patterns" in their passwords.

Microsoft appears to have some backing on this position from the National Institute of Standards and Technology's latest report on the topic, as cited in Microsoft's announcement. It states (Section 10.2.1 "Memorized Secrets"):

• Do not impose other composition rules (e.g. mixtures of different character types) on memorized secrets.
• Do not require that memorized secrets be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise. (See Section 5.1.1 for additional information)

The report doesn't provide much explanation about such advice, but the general idea seems to be that organizations should avoid any practices that cause end users create guessable passwords.

IT pros with questions about Microsoft's Azure AD Password Protection and Smart Lockout previews will get an opportunity to ask them on Thursday, June 28 at 9:00 a.m. to 10:00 a.m. PST. The Azure AD team plans to field questions at that time. Details are described here.