L8. Password Protection: Banned Lists, Smart Lockout and SSPR

Entra ID Password Protection

Password protection prevents users from choosing weak or commonly breached passwords. It operates on two levels:

Global Banned Password List

Microsoft maintains a global list of known weak passwords (updated continuously using telemetry from billions of sign-ins). This list is always active and cannot be disabled. It uses fuzzy matching, so variants like "P@ssw0rd!" are also caught.

Custom Banned Password List

You can add up to 1,000 organization-specific terms (e.g., company name, product names, office locations). Each term must be between 4 and 16 characters. Fuzzy matching applies to custom terms as well.

Navigate to: Entra admin center > Protection > Authentication methods > Password protection Exam tip: The custom banned password list supports up to 1,000 terms. Fuzzy matching means adding "contoso" also blocks "c0nt0s0", "Contoso1", and similar variants.

Smart Lockout

Smart lockout protects against brute-force password attacks by locking out sign-in attempts after a threshold is reached:

Smart lockout distinguishes between familiar locations (the user's typical sign-in location) and unfamiliar locations. Unfamiliar locations lock out faster. The familiar location counter and unfamiliar location counter are tracked independently. Exam tip: Smart lockout cannot be disabled. You can adjust the threshold and duration, but the feature is always active. If a question asks how to prevent brute-force attacks on cloud accounts, smart lockout is the built-in answer.

Self-Service Password Reset (SSPR)

SSPR allows users to reset their own passwords without calling the helpdesk. Configuration options:

• Enabled for: None, Selected group, or All users
• Authentication methods required: 1 or 2 methods
• Available methods: Mobile app notification, mobile app code, email, mobile phone, office phone, security questions

Exam tip: Microsoft recommends requiring 2 authentication methods for SSPR. Security questions are the least secure option and should not be the only method enabled. For the exam, the Authenticator app + mobile phone is the recommended combination.

SSPR and MFA Method Convergence

When combined registration is enabled, the same security information registered for MFA is also used for SSPR. Users register once and can use the same methods for both purposes.

Password Writeback

Password writeback enables cloud password changes to be written back to on-premises Active Directory. This is required for:

• SSPR to work for hybrid (synced) users
• Entra ID Protection user risk remediation (password change) for hybrid users

Password writeback is configured in Entra Connect and requires the Entra Connect service account to have the "Reset password" permission in Active Directory. Exam tip: Without password writeback, hybrid users cannot use SSPR or risk-based password change. If a question describes a synced user unable to reset their password via SSPR, check for missing password writeback configuration.

On-Premises Password Protection

For organizations using on-premises Active Directory, Entra Password Protection can be extended on-prem:

1. Install the Azure AD Password Protection proxy on a domain-joined server
2. Install the DC agent on each domain controller
3. The DC agent downloads the banned password list from the cloud and enforces it during on-prem password changes

This ensures the same banned password policy applies regardless of where the password change occurs.