This chapter covers Microsoft Entra Password Protection, a critical security feature that blocks weak and compromised passwords in Azure AD and on-premises Active Directory. For the SC-900 exam, approximately 5-10% of questions in the Identity Access domain (Objective 2.2) relate to password protection and authentication methods. Understanding how Entra Password Protection works, its components, and its configuration is essential for defending against password-based attacks.
Jump to a section
Imagine a public library with a strict book borrowing policy. The library maintains a list of banned passwords (weak or compromised books) that cannot be borrowed. When a patron tries to borrow a book, the librarian checks the book's title against the banned list. If the book is banned, the librarian refuses the checkout and suggests alternative titles. The library also enforces rules: books must be at least 8 characters long (password length), cannot be the patron's name (username), and cannot be a simple sequence like '123456' (common patterns). The banned list is updated regularly from a central library association (Microsoft's global banned list) that collects reports of stolen or weak books from libraries worldwide. Additionally, the library can add its own local banned list based on regional preferences (custom banned passwords). If a patron repeatedly tries to check out banned books, the librarian may lock their account temporarily (account lockout). This policy prevents patrons from using easily guessed books, protecting their accounts from theft. Similarly, Microsoft Entra Password Protection prevents users from setting weak or compromised passwords by checking against global and custom banned lists, combined with intelligent algorithms that detect common patterns.
What is Microsoft Entra Password Protection?
Microsoft Entra Password Protection is a security feature that detects and blocks weak passwords and common password variations used in brute-force and password spraying attacks. It applies to both cloud-based Azure AD accounts and on-premises Active Directory accounts via a proxy agent. The feature uses a global banned password list maintained by Microsoft, which contains known weak passwords and their common variations (e.g., 'Password123!', 'Qwerty123', 'Letmein1'). Additionally, administrators can define a custom banned password list tailored to their organization, such as company names, product names, or industry-specific terms.
How It Works Internally
When a user attempts to set or change a password, the following process occurs:
Password Submission: The user submits a new password through a self-service portal, Microsoft Entra admin center, or via on-premises Active Directory password change.
Normalization: Entra Password Protection normalizes the password by converting all characters to lowercase and applying a series of transformations to detect common substitutions (e.g., '3' for 'E', '@' for 'a', '$' for 'S'). This ensures that variations like 'P@ssw0rd' are caught.
Comparison: The normalized password is compared against the global banned password list and the custom banned password list. The comparison is not exact; it uses fuzzy matching to detect if the password contains banned words or patterns.
Evaluation: If the password matches a banned password or its variation, it is rejected. Additionally, the system checks for common patterns like sequential characters (e.g., 'abcd'), repetitive characters (e.g., 'aaaa'), or keyboard patterns (e.g., 'qwerty').
Result: The result is returned to the user. If rejected, the user must choose a different password.
Key Components, Values, Defaults, and Timers
Global Banned Password List: Automatically updated by Microsoft. Contains millions of known weak passwords and their variations. Cannot be modified by administrators.
Custom Banned Password List: Administrator-defined list of up to 1000 entries. Each entry can be a word or phrase up to 16 characters. Entries are case-insensitive and normalized.
Password Evaluation Algorithm: Uses a combination of string matching, fuzzy logic, and pattern detection. It evaluates the entire password, not just individual words.
On-Premises Proxy: For on-premises Active Directory, a proxy agent must be installed on a server that can communicate with Azure AD. The proxy forwards password change requests to the Entra Password Protection service.
DC Agent: A separate agent installed on each Domain Controller that intercepts password changes and applies the policy locally.
Policy Sync Interval: The custom banned password list is synced from Azure AD to on-premises DCs every 10 minutes by default.
Enforcement Mode: Can be set to 'Audit' (log violations but allow) or 'Enforced' (block violations).
Password Protection for Azure AD B2C: Also supported for B2C custom policies.
Configuration and Verification Commands
For on-premises Active Directory, configuration is done via Group Policy or PowerShell. Example PowerShell commands:
# Install the AzureADPasswordProtection module
Install-Module -Name AzureADPasswordProtection
# Register the proxy with Azure AD
Register-AzureADPasswordProtectionProxy -AccountCredential (Get-Credential)
# Register the DC agent
Register-AzureADPasswordProtectionForest -Force
# Check policy status
Get-AzureADPasswordProtectionSummaryReportFor cloud-only Azure AD, configuration is done in the Microsoft Entra admin center under 'Security > Authentication methods > Password protection'.
Interaction with Related Technologies
Self-Service Password Reset (SSPR): Entra Password Protection is automatically applied when users reset passwords via SSPR.
Identity Protection: Works alongside to detect risky sign-ins and compromised credentials.
Conditional Access: Can enforce password changes based on risk level.
Azure AD Connect: Synchronizes on-premises password changes to the cloud, but Entra Password Protection can be applied on-premises before sync.
Exam-Relevant Details
The global banned password list is updated automatically; administrators cannot view or modify it.
Custom banned password list supports up to 1000 entries.
Passwords are evaluated after normalization (case-insensitive, common substitutions).
On-premises deployment requires two components: the proxy agent and the DC agent.
The feature is available in Azure AD Premium P1 or P2 licenses.
It does not prevent users from using passwords that are not on the banned list; it only blocks known weak passwords.
User Submits New Password
The user attempts to set a new password via a supported interface (e.g., Azure AD portal, Windows login, SSPR). The password is transmitted securely (TLS) to the authentication endpoint. For on-premises, the DC intercepts the change request.
Password Normalization
The password is normalized: all characters are lowercased, and common substitutions are replaced with their base characters. For example, 'P@ssw0rd' becomes 'password'. This ensures that leetspeak variations are detected. The normalization algorithm also removes repeated characters and checks for patterns.
Check Against Banned Lists
The normalized password is compared against the global banned password list (millions of entries) and the custom banned password list (up to 1000 entries). The comparison uses fuzzy matching: if the normalized password contains a banned word or is a close variation, it is flagged. For example, 'Summer2024!' would be flagged if 'Summer' is on the custom list.
Pattern Detection Evaluation
Even if the password does not exactly match a banned entry, the algorithm checks for common patterns: sequential characters (abc, 123), repetitive characters (aaa), keyboard patterns (qwerty), and common variations (e.g., adding a year or special character). If a pattern matches, the password is rejected.
Result Returned to User
If the password passes all checks, it is accepted and applied. If rejected, the user receives a generic error message indicating the password is too weak or has been compromised. The user must choose a different password. For on-premises, the DC logs the event in the Security log.
In a large enterprise with 50,000 employees, password spraying attacks are a constant threat. Microsoft Entra Password Protection is deployed to block common weak passwords like 'Spring2024!' or 'Company123'. The security team configures a custom banned password list containing the company name, product names, and industry terms. They set the enforcement mode to 'Audit' initially to monitor violations without disrupting users. After a week, they review logs and find that 15% of password changes were using banned terms. They then switch to 'Enforced' mode. The on-premises deployment requires installing the proxy agent on a server with internet access to Azure AD, and the DC agent on each Domain Controller. In a multi-forest environment, each forest must be registered separately. A common misconfiguration is forgetting to register the forest after installing the agents, causing password changes to bypass the check. Another issue is network latency: if the proxy cannot reach Azure AD, the DC agent falls back to a cached version of the banned list, which may be outdated. The team also integrates with Identity Protection to detect compromised credentials and trigger password resets. Performance considerations: the DC agent adds minimal overhead (less than 5ms per password change). However, in environments with high churn (e.g., 10,000 password changes per day), adequate server resources are needed. A failure scenario: if the proxy agent's certificate expires, password protection stops working on-premises, leaving the environment vulnerable. Regular monitoring of the proxy's health is critical.
The SC-900 exam tests Microsoft Entra Password Protection under Objective 2.2 (Describe the capabilities of Azure AD authentication). Specifically, you must know:
The difference between global and custom banned password lists.
That the global list is automatically maintained by Microsoft and cannot be modified.
That the custom list supports up to 1000 entries.
That password evaluation includes normalization and pattern detection.
The two components required for on-premises deployment: proxy agent and DC agent.
That the feature is available in Azure AD Premium P1 or P2.
Common wrong answers: 1. 'Custom banned password list is unlimited' — Incorrect; it's limited to 1000 entries. 2. 'The global banned password list can be viewed by administrators' — Incorrect; it's hidden. 3. 'Password Protection only works for cloud accounts' — Incorrect; it works for on-premises too. 4. 'It blocks all weak passwords based on complexity rules' — Incorrect; it focuses on known weak and compromised passwords, not just complexity.
Exam trap: The exam may ask about the license requirement. Remember: Azure AD Premium P1 or P2 is required. Free or Basic tiers do not include Password Protection. Also, note that the feature does not prevent dictionary attacks; it only blocks specific passwords that are in the banned lists.
To eliminate wrong answers, focus on the mechanism: the feature uses a combination of global and custom lists, with normalization and pattern detection. If an answer says 'exact matching only,' it is wrong because fuzzy matching is used.
Microsoft Entra Password Protection blocks weak and compromised passwords using global and custom banned lists.
The global list is automatically updated by Microsoft and contains millions of entries; administrators cannot modify it.
The custom list supports up to 1,000 entries, each up to 16 characters, for organization-specific terms.
Password evaluation includes normalization (lowercasing, substitution detection) and pattern detection (sequences, repetitions).
On-premises deployment requires two components: the proxy agent and the DC agent, both must be registered.
The feature is available only with Azure AD Premium P1 or P2 licenses.
Enforcement can be set to Audit (log only) or Enforced (block) mode.
Password Protection integrates with SSPR and Identity Protection for enhanced security.
These come up on the exam all the time. Here's how to tell them apart.
Global Banned Password List
Maintained by Microsoft automatically
Contains millions of known weak passwords
Cannot be viewed or modified by administrators
Updated dynamically based on real-world attacks
Applied to all tenants by default
Custom Banned Password List
Defined by organization administrators
Limited to 1,000 entries
Can be viewed and modified in Azure AD admin center
Used to block organization-specific terms (e.g., company name)
Must be explicitly configured; not applied by default
Mistake
Microsoft Entra Password Protection blocks all weak passwords based on complexity rules.
Correct
It does not enforce complexity rules like length or character types. It only blocks passwords that are on the global or custom banned lists, or that match common patterns. Complexity rules are separate (e.g., password policies in Azure AD).
Mistake
The custom banned password list can contain up to 10,000 entries.
Correct
The limit is 1,000 entries. Each entry can be up to 16 characters. Administrators must prioritize the most critical terms.
Mistake
Password Protection only applies to cloud-based Azure AD accounts.
Correct
It also applies to on-premises Active Directory accounts when the proxy and DC agents are installed. This protects hybrid environments.
Mistake
The global banned password list is static and rarely updated.
Correct
It is dynamically updated by Microsoft based on real-world attack data, including newly compromised passwords from breaches. Updates occur automatically.
Mistake
Password Protection uses exact string matching only.
Correct
It uses normalization and fuzzy matching to detect variations like leetspeak (e.g., 'P@ssw0rd' is caught). It also detects patterns like sequences and repetitions.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes, Microsoft Entra Password Protection is a premium feature that requires an Azure AD Premium P1 or P2 license for each user. Free or Basic tiers do not include this capability. However, the global banned password list is applied to all users regardless of license, but the custom list and on-premises features require premium licenses.
No, Entra Password Protection for on-premises requires connectivity to Azure AD. The proxy agent must communicate with the Azure AD Password Protection service to download the global and custom banned lists. Without Azure AD, you cannot use this feature. However, you can implement similar functionality using third-party tools.
If the proxy agent cannot connect to Azure AD for more than 10 minutes, the DC agent will use the last cached version of the banned lists. Password protection continues to work with the cached data, but new updates are not applied. Prolonged disconnection can lead to outdated protection.
Microsoft updates the global banned password list dynamically based on real-time threat intelligence. There is no fixed schedule; updates can occur multiple times per day as new compromised passwords are discovered. The updates are automatically pushed to tenants.
Yes, as part of pattern detection, Entra Password Protection checks if the password contains the user's username or display name. If it does, the password is rejected. This prevents common mistakes like using 'John2024' when the username is 'john@contoso.com'.
No, Password Protection applies to all users in the tenant. There is no exclusion list. However, you can set the enforcement mode to 'Audit' to log violations without blocking, but this applies to all users as well.
Password policies (e.g., length, complexity, expiration) are rules that define what passwords are allowed. Password Protection is an additional layer that blocks specific known weak or compromised passwords, regardless of whether they meet policy requirements. Both can be used together.
You've just covered Microsoft Entra Password Protection — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?