Skip to main content

Back to Blog

Why Entra Password Protection is Not Enough

Microsoft’s Entra (formerly Azure AD) Password Protection is a free feature that users can leverage to help create a password policy they hope will protect their systems from break-ins and identity and access management issues. Ostensibly, Entra Password Protection prevents the use of so-called bad passwords (read: weak and compromised passwords) that are easy for hackers to guess. As we well know, avoiding the use of common and compromised passwords is essential for any strong cybersecurity strategy.

According to Microsoft, Entra Password Protection “detects and blocks known weak passwords and their variants, and other common terms specific to your organization.” They also include “custom banned password lists” in their blocking capabilities. In an ideal world, a simple tool like this would be more than enough to prevent users from selecting passwords that undermine your system security. Unfortunately, cybersecurity best practices are just not this simple. Entra Password Protection does not ensure your users will choose safer passwords that help stop cybercriminals from breaching your business systems. There are flaws in this Microsoft feature that leave businesses who rely on it vulnerable to attack.

The Static Approach of Microsoft Entra Password Protection

There are significant differences between static and dynamic password defense. Entra Password Protection takes a static approach to password protection. Every time a user changes or resets their password, the tool will check that password against a default global banned password list. You can create your own custom list of banned passwords for the system to check new passwords against as well. It will not allow anyone to create passwords that are part of either list. Simple. Straightforward. Not enough to ensure strong passwords across your systems.

The problem with a static approach is that it doesn’t take the other side of the password protection equation into account. Microsoft’s tool checks passwords at the time they are created on your end, but it doesn’t check passwords as they continue to be compromised on the hacker’s end. Data breaches are a constant in our world today. In the first half of 2022 alone, there have been attacks on Costa Rica’s Ministry of Finance, hundreds of millions of dollars worth of cryptocurrency stolen, and breaches of major telecommunications companies. Threat actors are constantly stealing credentials and selling them on the dark web. If you’re not continuously checking your passwords against new lists of exposed credentials, you’re not actually shielding your systems from bad passwords or the hackers who will use them to their advantage.

An All-Access Pass to Your Business Systems

It’s tempting to assume Entra Password Protection is all you need to protect your passwords. Their system check can be enabled for all Entra ID users, i.e., anyone with an enterprise account. You do not need to configure it (unless you want a custom ban list, of course). It’s simple and convenient but leaves a large hole in your security protocols. In their documentation, Microsoft explains that their tool should be enough to defend against most password spraying attacks because “the majority of password spray attacks submit only a small number of the known weakest passwords against each of the accounts in an enterprise.” But the tools in a hacker’s arsenal have evolved beyond this simple tactic. It’s way too easy for a cybercriminal to test far more password possibilities through dictionary, rainbow table, and credential stuffing attacks in addition to password spraying.

Though Microsoft acknowledges that other tools “enumerate millions of passwords that have been compromised in previous publicly known security breaches,” they explain that users shouldn’t bother worrying about it “given the typical strategies used by password spray attackers.” Since they recently found compromised passwords in 44 million Microsoft accounts, it seems like an unwise strategy to just hope that criminals won’t attempt more robust methods of attack.

Confusing Part of the Solution for the Whole

To follow NIST guidelines, businesses should continuously check and verify their passwords against a dynamic database of credentials that bad actors have compromised in recent breaches. Be proactive with tools like Enzoic for Active Directory that automatically cross-references your passwords against data from recent breaches in real-time. Combine this dynamic approach with Entra ID’s cloud identity and access management solution to help ensure your passwords are always strong and secure.

A comprehensive cybersecurity strategy takes many factors into account. From employee education and training to multi-factor authentication, businesses need to safeguard their systems with multiple barriers, tools, and best practices to remain a step ahead of cybercriminals. Don’t confuse a single solution for the whole strategy. Anyone who is serious about password security cannot rely on Entra Password Protection as the sole mechanism for bad password detection and blocking.