Azure AD Password Protection and Smart Lookout have now been released into public preview!

As you all know all it takes is one weak password to get into your company’s systems, hackers can often guess passwords due to the commonality of certain ones. This includes passwords such as ‘Password123’ or ‘LetMeIn’ which have been identified as two of the most common ones. Hackers can use brute force attacks such as ‘spray attacks’ to discover accounts with common passwords. To lower these risks Microsoft have made Azure AD Password Protection which is designed to remove easily guessed passwords but more specifically it can:

  • Protect accounts in Azure AD and Windows Active Directory by preventing users from using over 500 identified common passwords including over a million character substitutes such as replacing ‘s’ with ‘$’.
  • This can be managed from an unified administrator experience in the Azure Active Directory Portal.
  • Customisable Azure AD smart lockout settings and additionally you have the ability to add company specific passwords to block.

Why do you need Azure AD Password Protection?

The majority of users believe if they substitute characters in common passwords for example ‘P@s$w0rd’ then they are secure however this is not true. Most hackers are aware of these techniques and will after a while most likely be able to guess these. The three common pointers to know about hackers wanting to steal your passwords are:

  • They do know about character substitution as mentioned earlier e.g. ‘a’ for ‘@’.
  • If a complexity rule is in place then its most likely a very common one for example having to have a capitol letter and ending the password with a digit.
  • They understand that when users are required to change their passwords periodically it leads to predicable patterns such as months/seasons combined with the current year e.g. ‘Summer2018’.

What is Smart Lockout?

Smart Lockout is a Microsoft system that uses cloud intelligence to lock out hackers trying to guess user passwords. This intelligence can recognise sign-ins coming from valid users and treats those differently than ones from hackers and other unknown sources. This means that smart lockout can lockout hackers while still letting users continue to access their accounts.

Smart lockout is on by default for Azure AD customers with the default settings that offer a good mix of security and usability but these settings can be customised to suit customers environments.


To see how to configure this solution please visit my follow up blog at this link.

About the author