Description
- Type: CUSTOMER
- Severity: WARNING
- Protection against: SOCIAL
- CIS: M365 1.1.5 - (L1) Ensure that password protection is enabled for Active Directory
- FIX Available: YES
This Customer Check verifies if password protection is enabled and correctly configured. Custom list of banned passwords is only available for AzureAD P1 and P2 users.
Why this check?
An important measure to ensure that employees choose secure passwords is to block known insecure passwords. Microsoft assists with this through Password Protection. By enabling this feature, every time someone changes their password, it will be rejected if it is on the banned passwords list.
Microsoft itself has a long list of banned passwords and offers customers with an AzureAD P1 or P2 subscription the option to define their own banned words, such as brand names, product names, or location names.
CIS Benchmarks
This measure aligns with the following item from the Center for Internet Security (CIS) Microsoft 365 Foundations Benchmark:
- CIS M365 1.1.5 - (L1) Ensure that password protection is enabled for Active Directory
What are the possible outcomes of the check?
This check has two possible outcomes. In Attic, this is reflected as follows:
- Okay: Password protection is enabled and correctly configured
- Warning: Password protection is not enabled or does not include (all) banned passwords
- Notice: Functionality is not (fully) available
How should this be followed up?
If the output is Warning , we advise enabling this feature. A Fix is available for this check, which we will offer via Attic.
Comments
0 comments
Please sign in to leave a comment.