Loading controls...
Control: 1.1.5 Ensure that password protection is enabled for Active Directory
Description
Enable Azure Active Directory Password Protection to Active Directory to protect against the use of common passwords.
Azure Active Directory protects an organization by prohibiting the use of weak or leaked passwords. In addition, organizations can create custom banned password lists to prevent their users from using easily guessed passwords that are specific to their industry. Deploying this feature to Active Directory will strengthen the passwords that are used in the environment.
Remediation
To setup Azure Active Directory Password Protection, use the following steps:
- Download and install the
Azure AD Password ProxiesandDC Agentsfrom the following location: https://www.microsoft.com/download/details.aspx?id=57071. - After the installation is complete, login to
https://admin.microsoft.comas aGlobal Administrator. - Go to
Admin centersand click onAzure Active Directory. - Select
Azure Active DirectorythenSecurityon the left side navigation followed byAuthentication methods. - Select
Password protectionand toggleEnable password protection on Windows Server Active DirectorytoYesandModetoEnforced. - Click
Saveat the top of the right pane.
Usage
Run the control in your terminal:
powerpipe control run microsoft365_compliance.control.cis_v140_1_1_5Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run microsoft365_compliance.control.cis_v140_1_1_5 --shareSQL
This control uses a named query:
azuread_password_protection_enabled