turbot/microsoft365_compliance

Control: 1.1.5 Ensure that password protection is enabled for Active Directory

Description

Enable Azure Active Directory Password Protection to Active Directory to protect against the use of common passwords.

Note: This recommendation applies to Hybrid deployments only, and will have no impact unless working with on-premises Active Directory.

Azure Active Directory protects an organization by prohibiting the use of weak or leaked passwords. In addition, organizations can create custom banned password lists to prevent their users from using easily guessed passwords that are specific to their industry. Deploying this feature to Active Directory will strengthen the passwords that are used in the environment.

Remediation

To setup Azure Active Directory Password Protection, use the following steps:

  1. Download and install the Azure AD Password Proxies and DC Agents from the following location: https://www.microsoft.com/download/details.aspx?id=57071.
  2. After the installation is complete, login to https://admin.microsoft.com as a Global Administrator.
  3. Go to Admin centers and click on Azure Active Directory.
  4. Select Azure Active Directory then Security on the left side navigation followed by Authentication methods.
  5. Select Password protection and toggle Enable password protection on Windows Server Active Directory to Yes and Mode to Enforced.
  6. Click Save at the top of the right pane.

Default Value: Enabled / Enforced.

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v150_1_1_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v150_1_1_5 --share

SQL

This control uses a named query:

azuread_password_protection_enabled

Tags