Control: 1.1.5 Ensure that password protection is enabled for Active Directory
Description
Enable Azure Active Directory Password Protection to Active Directory to protect against the use of common passwords.
Note: This recommendation applies to Hybrid deployments only, and will have no impact unless working with on-premises Active Directory.
Azure Active Directory protects an organization by prohibiting the use of weak or leaked passwords. In addition, organizations can create custom banned password lists to prevent their users from using easily guessed passwords that are specific to their industry. Deploying this feature to Active Directory will strengthen the passwords that are used in the environment.
Remediation
To setup Azure Active Directory Password Protection, use the following steps:
- Download and install the
Azure AD Password Proxies
andDC Agents
from the following location: https://www.microsoft.com/download/details.aspx?id=57071. - After the installation is complete, login to
https://admin.microsoft.com
as aGlobal Administrator
. - Go to
Admin centers
and click onAzure Active Directory
. - Select
Azure Active Directory
thenSecurity
on the left side navigation followed byAuthentication methods
. - Select
Password protection
and toggleEnable password protection on Windows Server Active Directory
toYes
andMode
toEnforced
. - Click Save at the top of the right pane.
Default Value: Enabled / Enforced.
Usage
Run the control in your terminal:
powerpipe control run microsoft365_compliance.control.cis_v150_1_1_5
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run microsoft365_compliance.control.cis_v150_1_1_5 --share
SQL
This control uses a named query:
azuread_password_protection_enabled