Control: Ensure that a 'Custom banned password list' is set to 'Enforce'
Description
Microsoft Azure applies a default global banned password list to all user and admin accounts that are created and managed directly in Microsoft Entra ID. The Microsoft Entra password policy does not apply to user accounts that are synchronized from an on-premises Active Directory environment, unless Microsoft Entra ID Connect is used and EnforceCloudPasswordPolicyForPasswordSyncedUsers is enabled.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.ad_custom_banned_password_enforcedSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.ad_custom_banned_password_enforced --shareSQL
This control uses a named query:
with distinct_tenant as ( select distinct tenant_id, display_name, subscription_id, _ctx from azure_tenant)select id as resource, case when (value)::bool then 'ok' else 'alarm' end as status, case when (value)::bool then t.display_name || ' custom banned password list is enforced.' else t.display_name || ' custom banned password list is not enforced' end as reason, t.tenant_id from distinct_tenant as t, azuread_directory_settingwhere name = 'EnableBannedPasswordCheck';