Azure AD Password Protection & Smart Lockout Now in Public Preview
Azure AD Password Protection helps eliminate easily guessed passwords from the environment, which can dramatically lower the risk of being compromised by attackers. It also protects by preventing users from setting their passwords to common, weak and risky passwords and prevents bad actors from trying to brute force attack those accounts.
Many attackers know how users create passwords, and more often than not, businesses ldo not have a security policy in place around user created passwords. Therefore, Azure AD Password Protection would be beneficial for any business that wants to improve their network security and prevent data loss through user identity compromise.
How Azure AD Password Protection works:
Azure AD Password Protection:
Most users believe it’s acceptable to create a complex password of symbols, letters and numbers, which is supposed to be more difficult for hackers to be able to reveal. That’s not neccessaryly true, since today, we know attackers can create passwords developed specifically to combat the complex rules of most common “password policies.” Azure AD Password Protection does exactly that for both in-the-cloud and on-premises environments—wherever users change their passwords—and with unprecedented configurability through an easy to use Admin Console. Powered by Azure AD, which regularly updates from a global database of banned passwords by learning from billions of authentications and analysis of leaked credentials across the web. Users will be more secure as the protection they rely on is backed by machine learning and AI from Microsoft to ensure the defenses are ready for the latest threats.
Azure AD Smart Lockout:
Previously, when an account was locked out due to brute force attack, the admin policy would lockout those credentials as a result from remote brute force attacks. Now we can selectively exclude the attacker or bad actor login attempts by location instead of blanket enforcement across all login locations. This allows the employee to use their login at the trusted location, like where the office is located, versus the attacker being locked out from a country the business has no locations in.
Also, if an incorrect password is entered too many times, those credentials lose the ability to login, hence decreasing the amount of times an attacker can access user accounts. This security intelligence of Smart Lockout can recognize sign-ins coming from valid users and treats those differently than those of attackers or other unknown sources. Smart Lockout can lock out the attackers while letting users continue to access their accounts and be productive.
Managing Azure AD Smart Lockout:
One important step towards securing identities is to ensure that IT can manage accounts from one single location regarding where this account was created. AD offers a new feature that enables the ability to Control Azure AD password protection for both Azure AD and on-premises Windows Server Active Directory from a unified control panel in Azure AD portal. Organizations that fail to integrate their on-premises identity with their cloud identity experience increase administrative overhead in managing accounts, which increases the likelihood of mistakes and security breaches.
Based on organizational requirements, Smart Lockout values may need to be customized. Customization of the Smart Lockout settings, with values specific to an organization, requires Azure AD Basic or higher licenses for users.
Combining Azure AD Password Protection and Smart Lockout with the security in place within any organization will strengthen its security posture. Yet, the deployment of these new capabilities will be up to the Admin for that environment because the deployment process is customizable. Interlink can help!
Contact Interlink, and we’ll connect you with one of our experts to discuss how these new Microsoft Azure security solutions can benefit your organization’s security needs.
About the author
Welcome to the Interlink Cloud Blog
All content provided on this blog is for informational purposes only. The owner of this blog makes no representations or warranties regarding the information from our partners or other external sources.