Azure AD Password Protection helps you eliminate easily guessed passwords from your environment, which can dramatically lower the risk of being compromised by a password spray attack. Specifically, these features let you:
- Protect accounts in Azure AD and Windows Server Active Directory by preventing users from using passwords from a list of more than 500 of the most commonly used passwords, plus over 1 million character substitution variations of those passwords.
- Manage Azure AD Password Protection for Azure AD and on-premises Windows Server Active Directory from a unified admin experience in the Azure Active Directory portal.
- Customize your Azure AD smart lockout settings and specify a list of additional company specific passwords to block.
Smart Lockout
Smart lockout is lockout system that uses cloud intelligence to lock out bad actors who are trying to guess your users’ passwords. That intelligence can recognize sign-ins coming from valid users and treats those differently than ones that attackers and other unknown sources. This means smart lockout can lock out the attackers while letting your users continue to access their accounts and be productive.
Smart lockout is always on for all Azure AD customers with default settings that offer the right mix of security and usability, but you can also customize those settings with the right values for your environment.
With banned passwords and smart lockout together, Azure AD password protection ensures your users have hard to guess passwords and bad guys don’t get enough guesses to break in.
