Tag Archives: Azure Active Directory

Choose a password that’s harder for people to guess

When you’ve implemented Self Service Password Reset and a cloud user (i.e. an account that only lives in the Microsoft cloud, not an on-premises Active Directory account) wants to change his password, there’s a chance the user will see the following error message:
“Choose a password that’s harder for people to guess”

pass1word-guess
The odd thing is, when the user changes his password in the SSPR it even says the user is using a strong password as shown in the following screenshot:

pass1word

Note. I tried this with several combinations, like Pass1word, P@ssW0rd and Spring2018.

A similar error message can be “Unfortunately, your password contains a word, phrase or pattern that makes it easily guessable. Please try again with a different password.” as shown in the following screenshot:

guessable

The ‘problem’ here is that the user is hitting the ‘banned password list’ in Azure Active Directory. This banned password list is a list of over 1,000 passwords that can easily be guessed, and as such vulnerable for password spray attacks. These passwords are simple words like spring, summer, autumn, winter, football, company name, qwerty, 123456, welcome, zaq1zaq1 etc etc etc. There’s a list of most common passwords on WikiPedia. Of course there are several variations of passwords, password, Pass1word, Pass!word, Passw0rd, you name it, but Microsoft is using normalization techniques to filter out all replaced characters and thus block these passwords.

Banned passwords are part of the Azure AD Password Protection feature, a feature that’s still in preview at the time of writing (October 2018). When you logon to the Azure Portal (https://portal.azure.com) and navigate to Azure Active Directory | Authentication Methods (in the security section) you’ll see the Azure AD Password Protection feature:

password_protection

The banned password list is enforced by default, there’s no way to disable it. If you have an Azure AD Premium license, you can also use a custom banned password list and maintain you own list of words or phrases that you don’t want to be used as a password.

Summary

If your users run into the Choose a password that’s harder for people to guess error message when changing their password in Azure AD or Office 365, they are hitting the banned password list as part of the Azure AD Password protect feature. A feature that’s enforced by default, and implemented by Microsoft as a means to improve security.
This feature is available for cloud users only by default, but if you have implemented self service password reset (SSPR) with password writeback it also works. The nice thing is, it can also be extended to on-premises Active Directory for password changes on-premises. Nice topic for an upcoming blog.

Improved Secure Score in Office 365 tenant

In a previous blogpost I explained about the Microsoft Secure Score and how this indicates the level of security in your Office 365 tenant.

My initial score was only 70, which is pretty low. By implementing Self Service Password Reset and MFA for Admin Acccounts the Secure Score was increased to 122. It could have been a couple of point higher when enabling MFA for all users, but not all users have licenses in Office 365.

I’m curious to see what improvements I can make in the Exchange Online part and how this will influence the Secure Score. Stay tuned 🙂

secure-score-122

Azure AD and Office 365 Password writeback

My previous blogpost was about the Self Service Password Reset (SSPR). A nice feature for cloud identities, but this doesn’t work if you have synchronized identities or federated identities. These are managed in your on-premises Active Directory, so for SSPR to work you need to implement a password writeback solution.

Luckily this feature is available, but the standard Office 365 licenses do not include password writeback functionality. You this you need an Azure AD Premium P1 or Azure AD Premium P2 license. Enterprise Mobility + Security (EMS) E3 does include Azure AD Premium P1, EMS E5 does include Azure AD Premium P2.

To implement password writeback, you need to have SSPR up-and-running. To configure password writeback you have to run the Azure AD Connect wizard.

Note. Make sure you always have the latest version of Azure AD Connect running. Even better, use the auto update feature of Azure AD Connect to make sure you’re up-to-date. At the time of writing the latest version of Azure AD Connect was 1.1.882.0 (as of Sept. 8, 2018).

Start the Azure AD Connect wizard and select the Customize Synchronization Options. Follow the wizard until you reach the Optional Features. Check the Password Writeback option as shown in the screenshot below and click Next to continue.

optional_features

Follow the wizard until the configuration is complete and click Exit to finish the wizard and store the new configuration.
The service account that’s used by Azure AD Connect needs the appropriate permissions in your on-premises Active Directory to store the new password that has been set in Azure AD.
To find out which service account is used by Azure AD Connect, start Azure AD Connect and select View Current Configuration and check the account as shown in the following screenshot:

View_Current_Configuration

The following permissions need to be granted to the service account on either the domain object, or on an OU if you want to scope the permissions:

  • Reset password
  • Change password
  • Write permissions on lockoutTime
  • Write permissions on pwdLastSet

Open Active Directory and Computers, enable Advanced Features, select the properties of the domain, click on Security, click on Advanced and click Add.

Select the service account that was retrieved earlier under Principal and in the applies to dropdown box select Descendent User Objects. Check the following options:

  • Reset password
  • Change password
  • Write lockoutTime (scroll down)
  • Write pwdLastSet (scroll down)

Click on OK to apply the changes to Active Directory and close any following pop-up boxes.

Permission_Entry

To test the password write back option, follow the same procedure as in the SSPR blogpost. After you have changed your password, it is written back to your on-premises Active Directory and the following event is written to the eventlog of the Azure AD Connect server.

EventID_31001

Summary

In this blogpost I’ve shown you how to implement password writeback in your synchronized Azure AD environment. One prerequisite is that you need to have Self Service Password Reset implemented, and you need to have an Azure AD Premium P1 or Azure AD Premium P2.

Azure Active Directory PowerShell v2

Maybe you’ve already heard about Microsoft Graph and the Graph API. Microsoft Graph is the way resources in the Microsoft cloud are connected to each other. The Graph API is an API you can use to access Microsoft Graph, and browse (or traverse) through all the resources.

image

You can use the Graph API when building your own applications, but Microsoft is moving all their apps, tools etc. to the Graph API as well.

Azure Active Directory PowerShell v2 is moving from the Azure AD API’s to the Graph API as well. This automatically implies that Azure AD PowerShell v2 comes with new cmdlets and new options. The output of these cmdlets should be similar of course (creating a new domain, group or user in Azure Active Directory), but that these cmdlets are in no way compatible with the old Azure AD PowerShell.

Unfortunately, you have no choice then moving to Azure AD PowerShell v2. The existing PowerShell v1 will of course be supported for quite some time as it is impossible for everyone to convert their processes, cmdlets, scripts etc. from one version to another.

Note. We’ve seen similar when Microsoft moved from Azure ASM to Azure ARM. It has been taken years for Microsoft to move everything to ARM, so no worries for end-of-support scenarios anytime soon.

Installing Azure AD PowerShell v2 is easy, just install the module using the Install-Module command. This will download the module from the PowerShell repository.

Install-Module AzureAD

When executed you will receive a notification about an untrusted repository. Click [Y] or [A] to continue. The module will be downloaded and installed.

image

image

image

You can use the following commands to store the credentials of your Office 365 and/or Azure tenant administrator account and use it to login to Azure Active Directory:

$AzureADCred = Get-Credential &lt;your tenant admin&gt;<p>Connect-AzureAD -Credential $AzureADCred

image

You’ve now installed the Azure Active Directory PowerShell v2 module and are logged on to your tenant. If you want to retrieve a list of all new v2 PowerShell commands use can use the Get-Command command:

Get-Command *AzureAD*

image

In future blogposts I will continue with the Azure AD PowerShell v2 module.

More information

<updated on March 21, 2018>

Permanently delete users from Office 365

When you delete user accounts from Office 365 (en thus Azure Active Directory) these accounts are not permanently deleted, but they are kept in a Deleted Users container for 30 days. This is not only true for cloud users that are deleted in the Microsoft Online Portal, but also for synced users that are deleted in your on-premises Active Directory.

clip_image002

Although you can see the deleted users in the Microsoft Online Portal, there’s no way to permanently delete them here.

The solution is to use the Azure Active Directory Module for PowerShell, using PowerShell you can actually permanently delete these user account.

To retrieve a list of all users in the Deleted Users container open Azure Active Directory PowerShell and execute the following command:

Connect-MSOLService
Get-MsolUser -ReturnDeletedUsers

clip_image004

To permanently remove these user accounts you can use the same command, but pipe the output of the command into the Remove-MsolUser -RemoveFromReclycleBin command. You can add the -Force option to bypass the confirmation of each user deletion (i.e. the ‘Are you sure? Yes[y], No[n]’ message).

clip_image006

Now when you execute the Get-MsolUser -ReturnDeletedUsers command you’ll see the all users are permanently removed.

Please be careful, once permanently removed there’s no way to restore the user accounts!