Friday, February 23, 2018

Evaluating Azure Active Directory Password Policies

If your company is born in the cloud, and you are using Azure, you will have an Azure Active Directory (AAD) tenant created.  This will allow you to create cloud-only user accounts that you can then assign permissions to in Azure (or a host of 3rd party services that AAD integrates with).

As part of your security policy, you should have an comprehensive password policy that is based on industry best practices.  NIST has just released a draft policy that updates previous password guidance that has been in effect for ages.

So the questions here becomes, what is the current/default password policy for AAD, how does it compare to the new guidance, and what customization options do you have.

To answer question one, Microsoft has provided a comprehensive guide on the password policy in use for cloud-only accounts.  You can find that documentation here.  Question 3 is also easy to answer.  Based on the documentation, the only things you can change are the password expiry duration and the password expiry notification.

So, how does the policy compare to the new NIST guidance?

Characters Allowed

According to the documentation, Azure does allow a host of characters, but restricts unicode characters and spaces.  This goes against current NIST guidance which states:

- All printing ASCII characters as well as the space character should be allowed
- Unicode characters should be allowed

Password Length

According to the documentation, Azure allows for a minimum of 8 characters and a maximum of 16 characters.  NIST documentation follows for the minimum, but states the maximum should be at least 64 characters in length.

Password Restrictions

According to the documentation, Azure requires 3 of 4 listed character classes for a password to be considered secure.  The new NIST guidance states that verifiers SHOULD NOT impose composition rules.

Password Expiry

According to the documentation, Azure has built-in mechanisms to auto expire a password and provide notification to end users about password expiry.  As per the new NIST guidance, users should not be forced to periodically change their passwords.  You can configure this behaviour in AAD using the Set-MSOLPasswordPolicy cmdlet. 

In conclusion, it is interesting to see the difference between current Azure password policies and the new NIST guidance.  If memory serves me correct, the new NIST guidance is still in draft, but provides a preview of some of the changes AAD will hopefully make into the future.  When using AAD for your business, you do have limited options in how you can customize the policy that is being enforced.  (Please note that this does not hold true for Azure AD B2C)