In today’s threat landscape, weak or commonly used passwords remain one of the easiest entry points for attackers. Fortunately, Microsoft provides a powerful feature in Azure Active Directory (now called Microsoft Entra ID) to enforce banned password lists—helping organizations block predictable and compromised passwords.
This guide walks you through how to configure and enforce a banned password policy step by step.
🔐 What Is a Banned Password List?
A banned password list is a security control that prevents users from setting weak passwords such as:
- “Password123”
- Company names (e.g., “Contoso2024”)
- Common patterns like “Welcome@123”
Azure already includes a global banned password list, but you can also define your own custom banned passwords tailored to your organization.
🚀 Prerequisites
Before you begin, ensure:
- You have an Azure AD Premium P1 or P2 license
- You have Global Administrator or Authentication Policy Administrator access
- Your tenant is using Azure AD (Entra ID)
🧭 Step 1: Navigate to Azure AD Password Protection
- Sign in to the Azure Portal
- Go to:
- Microsoft Entra ID (Azure AD)
- Select:
- Security
- Then click Authentication methods
- Choose:
- Password protection
⚙️ Step 2: Configure Password Protection Settings
Inside the Password Protection blade, you’ll see key configuration options:
1. Enable Enforce Custom List
Turn this ON to activate your custom banned passwords.
2. Custom Banned Password List
Add words or phrases you want to block. For example:
companyname
productname
admin123
welcome2024
💡 Tip: Avoid obvious patterns like your organization name, office location, or seasonal passwords.
🔁 Step 3: Configure Password Policy Mode
You’ll see two modes:
- Audit Mode
- Logs weak password attempts
- Does NOT block users
- Enforced Mode
- Blocks users from setting weak passwords
👉 Start with Audit Mode to monitor impact, then switch to Enforced Mode once validated.
📏 Step 4: Set Smart Lockout Settings
Azure provides smart lockout to prevent brute-force attacks:
- Lockout threshold (e.g., 10 attempts)
- Lockout duration (e.g., 60 seconds)
These settings help protect accounts while minimizing user disruption.
🖥️ Step 5: (Optional) Extend to On-Premises Active Directory
If you have hybrid identity:
- Install Azure AD Password Protection Proxy Service
- Install DC Agent on domain controllers
- Configure using PowerShell
This ensures banned password policies apply to on-prem AD passwords as well.
🧪 Step 6: Test Your Policy
Try setting a password like:
CompanyName@123
If configured correctly:
- In Audit Mode → Allowed but logged
- In Enforced Mode → Blocked immediately
📊 Step 7: Monitor and Review Logs
Use:
- Azure AD Sign-in logs
- Audit logs
Look for events related to:
- Password change failures
- Policy enforcement
🛡️ Best Practices
- Combine banned password lists with Multi-Factor Authentication (MFA)
- Regularly update custom banned words
- Avoid overly restrictive rules that frustrate users
- Use Passwordless authentication where possible
💡 Why This Matters
Weak passwords are still one of the top causes of breaches. By enabling banned password protection in Azure:
- You reduce credential stuffing risks
- You enforce stronger password hygiene
- You align with modern identity security practices
🧾 Conclusion
Setting up a banned password list in Azure Active Directory is a simple yet highly effective way to strengthen your organization’s security posture. With just a few steps, you can eliminate predictable passwords and significantly reduce attack vectors.