Azure Identity And Access Management Part 38 – Azure Active Directory – Password Protection And Smart Lockout
Hope you all are doing good !!!
In our previous articles we have discussed about Authentication Methods With Azure AD. Today in this article, we will discuss on Password Protection and Password Smart Lockout service of Azure AD.
If you have missed our previous articles on Azure Identity And Access Management (IAM), please check it in following links.
Next Article : Part 39 – Azure Role-Based Access Control(RBAC) 1 – Overview
Azure AD Password Protection :
As its name suggesting, this process is protecting user’s password, to make user’s identity more secure. Azure AD Password Protection detects and blocks known weak passwords and their variants, and can also block additional weak terms that are specific to our organization. With Azure AD Password Protection, default global banned password lists are automatically applied to all users in an Azure AD tenant. This service also lock out bad actors that try to guess your users’ passwords or use brute-force methods to get in. Password protection works with all types of authentication method.
Configure Password Protection :
Following are the two major sections, need to be configure when, configuring Password Protect service.
- Custom Smart Lockout
- Custom Banned Password
Let’s go through the following steps to configure password protection.
Step 1 – Go to Azure portal => Azure Active Directory = >Security .
Step 2 – Select Authentication Methods from Manage section as showing in the following figure.
Step 3 – Click on Password Protection and we will see the password protection configuration page with it’s all default value, if we are configuring it for first time. As showing in the following figure, we can see those major sections and now we will deep down into those sections.
Custom Smart Lockout :
Smart lockout will recognize sign-ins request, that come from valid users and treat them differently than ones of attackers and other unknown sources.
Step 4 – We can modify the default configuration value as per organization’s requirement. In this example, we have modify the Lockout threshold property value from it’s default value 10 times to new value 2 times and Lockout duration in seconds property value from 60 second to 30 second and click Save button to save the configuration done till now. So that after two consecutive log-in fail attempt by user, the account will be lockout for 30 second. The account locks again after each subsequent failed sign-in attempt, for 30 seconds at first and longer in subsequent attempts.
Step 4 – After configuring the first section, let’s test the configuration and see how it will behave if a user try to log-in with wrong password for more that 2 times.
Step 5 – Log in to the Azure portal using a different browser (IE) with a different user account (Ganesh@knowledgejunction1.onmicrosoft.com). so that we can easily come back to the Password Protection page to configure the second section after testing the first section. As showing in the following figure, first we have logged in using the correct password.
Step 6 – We will now try with wrong password for 3 times .
In my third attempt, as showing in the following figure, I got message ” Your account is temporarily locked to prevent unauthorized use. Try again later, and if you still have trouble, contact your admin.”
Custom Banned Password :
After configuring and testing the first section of Password Protection service, let’s configure the second section of this servoce.
Step 7 – Let’s go back to our Password Protection page to configure the second section.
Step 8 – To proceed with this configuration, the first configuration is to set Yes to Enforce custom list property value.
Step 9 – Prepare a list of common password pattern for Custom banned password list. Each item must be in a separate line as showing in the above figure. We can leave Enable password protection on Window Server Active Directory property with the default setting if not required. The last property is Mode. The default value is Audit but we can modify as per the requirement, it has following two options,
- Enforced : The users will be prevented from setting banned passwords and the attempt will be logged.
- Audit : The attempt will be logged no prevention of banned passwords.
Step 10 – Click Save button to complete the configuration as shown in the following figure.
How Banned Password Works
What actually the intention of this configuration is to restrict user to configure a week and banned or common password for the account when they reset their password. It helps/ suggests to configure a stronger password to make the account more secure by configuring a custom/local list of banned password pattern. Azure itself also provides a list of global banned password pattern like we can’t use tenant name or user name in the password which applied to all tenant. Azure keep updating it’s global banned password list by monitoring globally compromised and commonly used password to provide a very secure Azure infrastructure.
It is a process through which it goes, when user resetting their password. There are different predefined methods, which helps Azure service to decide whether the password needs to be approved or rejected. Following are those list of methods, through which a password must examined before approve or reject.
- Sub String Calculation
- Fuzzy Matching Behavior
- Score Calculation
In this Normalization process, generally, each letter of the password is being examined and convert some special letter into it’s substituted letter. Following table showing the the original letter provided by user and it’s substituted letter .
In this process/method, first it converting all upper case letter to lowercase letter. Then replace all special original letter to its substitute letter. In the following example we can see, if we want to normalize ” P@$$W0rd “ then the word after normalization would be “password“. If we see in the image, the password is listed in the custom banned password list so the suggested passwords would be consider as a weak or banned password and ask user to choose a different password.
Sub String Calculation :
The next process that happened is called Sub String Calculation. where-in it examine the password text against user’s name and the Tenant name. Let’s consider a scenario, where Ganesh ( Ganesh@knowledgejunction1.onmicrosoft.com) is working for knowledge-junction company. Ganesh want to reset his password and he is trying to use “Ganesh#1 ” and then Knowledgejunction#1 as his password but both the time Azure does not approved the password , instead asked to choose a secure and strong password because, in this Substring Calculation process, it does not allow to user to use User name and Tenant name as password.
Fuzzy Matching Behavior :
Fuzzy matching is used on the normalized password to identify if it contains a password found on either the global or the custom banned password lists. The matching process is based on an edit distance of one (1) comparison. In the following figure, let’s consider “Rasmita” from the custom banned list.
In the above 3 options in the image, each of the above passwords doesn’t specifically match the banned password “Rasmita”. Since each example is within an edit distance of 1 of the banned term ‘Rasmita’, they’re all considered as a match to “rasmita”.
Score Calculation :
In Score Calculation process/method identify all instances of banned passwords in the user’s normalized new password. Points are assigned based on the following criteria:
- Each banned password that’s found in a user’s password is given one point.
- Each remaining unique character is given one point.
- A password must be at least five (5) points to be accepted.
In the above figure, a user changes their password to “r@$mit@m@n@$!0“. Let’s go through the process step wise.
- After normalization, this password becomes “rasmitamanas1o”.
- The matching process finds that this password contains two banned passwords: “rasmita” and “manas”.
- This password is then given the following score:[rasmita] + [manas] +  + [o] = 1+1+1+1= 4 points
- As this password is under five (5) points, it’s rejected.
On-Premise Password Protection Deployment
We have seen, how to deploy Password Protection in Azure AD also seen how password protection is working in Azure. Now let’s see and discuss how we can deploy Password Protection in On-Premise environment.
After configuring Password Protection in On-Premise, when some one resetting their password in on-premise then the user have to gone through the same policy and process and it will consider both global banned password list and custom banned password list before approve the password for the user.
Configuring this in on-premise environment is not a complex task. As we can see in the above figure, following two agents are taking an important role to success this process and registered Service Connection Point helps to recognize each other.
- DC Agent For Password protection : This agent validate the password change or reset request. Ad its name suggests, this DC agent will be installed in Domain Controllers (DC). It is recommended, we should install DC agent in all of our domain controller. The reason behind this is, DC agent only validate the password reset request, which has been received on the domain controller on which the DC agent has installed.
- Password Protection Proxy Agent : This agent downloading the new/updated policy and updated custom banned password list from Azure AD to on-premise and keep updating the banned password list with Azure custom banned password list. We can install this agent to any of our domain joined machine. It is recommended that, we should have at least two Proxy agent server.
We can download both agent from this ( https://www.microsoft.com/en-us/download/details.aspx?id=57071 ) link and install as per the instruction.
Following are the steps we should follow when deploying Password Protection.
- Install DC Agent for Password Protection on domain controller servers.
- Install Proxy Agent for Password Protection on any domain joined server.
- Register Proxy Agent which required Global Admin Credentials using following script Register-AzureADPasswordProtectionProxy -AccountUpn (userprinciplename of Global Admin)
- Register Forest which also requires Global Admin Credentials as well as domain admin account using following script. Register-AzureADPasswordProtectionForest -AccountUpn (userprinciplename of Global Admin)
Before executing the script to register the proxy, import module which support Password Protection by using Import-Module AzureADPasswordProtection command as showing in the following figure.
License Requirement :
With the above information, I am concluding this article on Password Protection and Smart Lockout in Azure AD. I hope this is informative to you. As I am exploring the Azure Identity and Access Management (IAM) in a detail level specially with Azure Active Directory . Please let me know if I missed anything important or if my understanding is not up to the mark.
Next Article : Part 39 – Azure Role-Based Access Control(RBAC) 1 – Overview
Keep reading, share your thoughts, experiences. Feel free to contact @MrManasMohrana to discuss more.
Thanks for reading 🙂