This new tool will help Azure admins significantly decrease the risk of accounts being compromised by password spraying attacks.

computer screen data

As of June 20th, Microsoft has released the public preview of the new Azure Active Directory tool that will help admins kill off bad passwords in the enterprise. The tool, called Azure AD Password Protection, offers a new way of protecting Azure AD and Windows Server Active Directory accounts from users with bad password habits.

The tool contains a list of 500 of the most commonly used passwords and helps blocks a million more that contain character-based variations on these bad passwords. That means since ‘password’ is already blocked, users won’t be able to set their password to ‘[email protected]’ or ‘[email protected]$$w0rd’.

Microsoft argues that Azure AD Password Protection will “dramatically lower the risk” of being compromised by a so-called “password spraying” attack. Password spraying is designed to get around ‘rate limiting’, where a system caps the number of attempts to log in to a single account before locking it down. The attacker uses common passwords such as ‘Password1’ against many accounts with the knowledge that a small percentage will be secured with these passwords.

Password spraying attacks

Back in March, The US Compute Emergency Readiness Team, or US-CERT, posted an alert about password spraying attacks, confirming this was the technique used by the nine Iranian nationals who the DOJ indicted for allegedly hacking 8,000 professor email accounts at 144 US universities, as well as accounts at the US Department of Labor, the United Nations, and the Federal Energy Regulatory Commission.

The hackers, working for Iranian firm, the Mabna Institute, allegedly stole 31.5 terabytes of research and other data, which they passed on to the Iranian Government’s Islamic Revolutionary Guard Corp. US-CERT noted that password spray attacks often target single sign-on (SSO) and cloud-based applications that use federated authentication protocols. Compromising just a few select accounts allowed the attackers to acquire a large email list to spray, and they used the compromised access to move around a network using RDP and then exfiltrate data via FTP.

Prior to the indictments being announced, Microsoft also posted a warning about password spray attacks and provided Azure AD customers with information about tools to mitigate them.

Microsoft argues that the banned passwords approach is superior to password complexity rules, such as requiring multiple character types, which users often respond to by picking a password with a capital at the front followed by a few number-alphabet substitutions.

Hence, requiring users to change passwords periodically often leads to users picking easy-to-remember passwords based on sports teams and so on.

“Last weeks public preview gives you the ability to do this in the cloud and on premises — wherever your users change their passwords — and unprecedented configurability,”

writes Alex Simons, director of program management at Microsoft’s Identity Division.

However, one catch is that Azure AD Premium Password Protection is limited to enterprise subscribers on the Azure AD Premium 1 tier.

Get Started with Azure AD Protection in 3 Easy Steps

By default, all Azure AD password set and reset operations for Azure AD Premium users are configured to use Azure AD password protection. To configure a custom list of banned password strings for your organization and to configure Azure AD password protection for Windows Server Active Directory, follow these simple steps.

For more information on Azure and security visit our Azure services page.

Was this article helpful?