rules/findings/EntraID/Policy/CIS3.0/eid-custom-banned-password-list-disabled.json
|
{
"args": [ ], "provider": "EntraID", "serviceType": "Identity Protection", "serviceName": "Microsoft Entra ID", "displayName": "Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization", "description": "Microsoft Azure creates a default bad password policy that is already applied to Azure administrative and normal user accounts. This is not applied to user accounts that are synced from an on-premise Active Directory unless Microsoft Entra ID Connect is used and you enable EnforceCloudPasswordPolicyForPasswordSyncedUsers. Please see the list in default values on the specifics of this policy.", "rationale": "Enabling this gives your organization further customization on what secure passwords are allowed. Setting a bad password list enables your organization to fine-tune its password policy further, depending on your needs. Removing easy-to-guess passwords increases the security of access to your Azure resources.", "impact": "Increasing needed password complexity might increase overhead on administration of user account.", "remediation": { "text": "###### To set a custom bad password list, use the Microsoft Entra ID blade\r\n\t\t\t\t\t1. In `Microsoft Entra ID`, click on `Security`.\r\n\t\t\t\t\t2. Under `Management` select `Authentication`, then `Password Protection`.\r\n\t\t\t\t\t3. Set the `Enforce custom list` to `Yes`.\r\n\t\t\t\t\t4. Double click the custom password list to add a string.\r\n\t\t\t\t\t5. Click `Save`.", "code": { "powerShell": null, "iac": null, "terraform": null, "other": null } }, "recommendation": null, "references": [ "https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-combined-policy", "https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad", "https://www.microsoft.com/en-us/research/publication/password-guidance/" ], "compliance": [ { "name": "CIS Microsoft Azure Foundations", "version": "3.0.0", "reference": "2.8", "profile":"Level 1" } ], "level": "medium", "tags": [ ], "rule": { "path": "aad_password_protection_policy", "subPath": null, "selectCondition": { }, "query": [ { "filter": [ { "conditions": [ [ "customBannedPasswords.Count", "eq", "0" ], [ "enforceCustomBannedPasswords", "eq", "false" ] ], "operator": "or" } ] } ], "shouldExist": null, "returnObject": null, "removeIfNotExists": null }, "output": { "html": { "data": { "properties": { }, "expandObject": null }, "table": null, "decorate": [ ], "emphasis": [ ], "actions": { "objectData": { "properties": [ "*" ], "expandObject": null, "limit": null }, "showGoToButton": false, "showModalButton": false, "directLink": null } }, "text": { "data": { "properties": { }, "expandObject": null }, "status": { "keyName": [ ], "message": "Custom Bad Password List is not set", "defaultMessage": null }, "properties": { "resourceName": null, "resourceId": null, "resourceType": null }, "onlyStatus": false } }, "idSuffix": "aad_custom_bad_password_disabled", "notes": [ ], "categories": [ ] } |