v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/azure_compliance
Overview
13Dashboards
1311Controls
430Queries
2Variables
GitHub

Control: 2.8 Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization

Description

Microsoft Azure provides a Global Banned Password policy that applies to Azure administrative and normal user accounts. This is not applied to user accounts that are synced from an on-premise Active Directory unless Microsoft Entra ID Connect is used and you enable EnforceCloudPasswordPolicyForPasswordSyncedUsers. Please see the list in default values on the specifics of this policy. To further password security, it is recommended to further define a custom banned password policy.

Enabling this gives your organization further customization on what secure passwords are allowed. Setting a bad password list enables your organization to fine-tune its password policy further, depending on your needs. Removing easy-to-guess passwords increases the security of access to your Azure resources.

Remediation

From Azure Portal

  1. From Azure Home select the Portal Menu.
  2. Select Microsoft Entra ID.
  3. Under Manage, select Security.
  4. Under Manage, select Authentication methods.
  5. Under Manage, select Password protection.
  6. Set the Enforce custom list option to Yes.
  7. Click in the Custom banned password list text box to add a string.
  8. Click Save.

Default Value

By default the custom bad password list is not 'Enabled'. Organizational-specific terms can be added to the custom banned password list, such as the following examples:

  • Brand names
  • Product names
  • Locations, such as company headquarters
  • Company-specific internal terms
  • Abbreviations that have specific company meaning
  • Months and weekdays with your company's local languages

The default Azure bad password policy is already applied to your resources which applies the following basic requirements:

Characters allowed:

  • Uppercase characters (A - Z)
  • Lowercase characters (a - z)
  • Numbers (0 - 9)
  • Symbols:
  • @ # $ % ^ & * - _ ! + = [ ] { } | \ : ' , . ? / ` ~ " ( ) ; < >
  • blank space

Characters not allowed:

  • Unicode characters
  • Password length Passwords require
  • A minimum of eight characters
  • A maximum of 256 characters

Password complexity: Passwords require three out of four of the following categories:

  • Uppercase characters
  • Lowercase characters
  • Numbers
  • Symbols Note: Password complexity check isn't required for Education tenants.

Password not recently used:

  • When a user changes or resets their password, the new password can't be the same as the current or recently used passwords.
  • Password isn't banned by Entra ID Password Protection.
  • The password can't be on the global list of banned passwords for Azure AD Password Protection, or on the customizable list of banned passwords specific to your organization.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v300_2_8

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v300_2_8 --share

SQL

This control uses a named query:

ad_manual_control

Tags

category = Compliance
cis = true
cis_item_id = 2.8
cis_level = 1
cis_section_id = 2
cis_type = manual
cis_version = v3.0.0
plugin = azure
service = Azure/ActiveDirectory