Complex passwords are a basic requirement to protect a system from cyber-attack. Even today most of the cyber-attack could have prevented if users were using complex, un-guessable passwords. I agree this is not the best solution especially as we are moving towards password-less authentication (Azure AD already released preview for it you can find more about it via https://www.rebeladmin.com/2018/09/step-step-guide-azure-ad-password-less-authentication-public-preview/). However, attackers always try the low hanging fruits first. In on-premises AD environment we can force users to use complex passwords via group policy. however, we couldn’t ban passwords using this method. Now Azure AD support banned password lists and smart lockout for Azure AD & on-premise AD in hybrid setup. Smart lockout is using cloud intelligence to detect password spoofing attempts from attackers. In this demo I am going to demonstrate, how to enable this feature in hybrid environment to protect both sides.
As the first step, let’s enable the password protection.
1. Log in to Azure Portal as global admin
2. Click on Azure Active Directory
3. Then Authentication Method
4. New window is to define password protection settings. In this demo, I am keeping the default thresholds for custom smart lockout. To define ban password list, click on Yes for Enforce custom list and then type the passwords you like to ban.