lacework-global-502
Set a Custom Bad Password List to 'Enforce' for your Organization (Manual)
Profile Applicability
• Level 1
Description
Microsoft Azure creates a default bad password policy that is already applied to Azure administrative and normal user accounts. This is not applied to user accounts synced from an on-premise Active Directory unless using Azure AD Connect and you enable EnforceCloudPasswordPolicyForPasswordSyncedUsers.
Please see the list in default values on the specifics of this policy.
Rationale
Enabling this gives your organization further customization on what secure passwords are allowed. Setting a bad password list enables your organization to fine-tune its password policy further, depending on your needs. Removing easy-to-guess passwords increases the security of access to your Azure resources.
Impact
Increasing needed password complexity might increase overhead on administration of user accounts.
Audit
From Azure Portal
- From Azure Home select the Portal Menu
- Select
Azure Active directory
in the menu that opens, and then 'Security'. - Under
Management
selectAuthentication
thenPassword Protection
. - Ensure
Enforce custom list
is set toYes
. - Scroll through the list to view the enforced passwords.
Please note that at this point of time, there is no Azure CLI or other API commands available to programmatically conduct security assessment for this recommendation.
Remediation
From Azure Portal
- From Azure Home select the Portal Menu.
- Select
Azure Active Directory
. - Select
Security
. - Under
Manage
, selectAuthentication Methods
. - Select
Password Protection
. - Set the
Enforce custom list
option toYes
. - Double click the custom password list to add a string.
Please note that at this point of time, there is no Azure CLI or other API commands available to programmatically conduct security configuration for this recommendation.
References
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-combined-policy
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad
https://docs.microsoft.com/en-us/powershell/module/Azuread/
https://www.microsoft.com/en-us/research/publication/password-guidance/
https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-configure-custom-password-protection
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-6-use-strong-authentication-controls