Whilst passwordless authentication is the future with Microsoft, it does require lots of planning, analysis and new hardware or software to train users. Microsoft is investing a lot of time and effort into it, but at the same time Azure AD (or Entra AD as it is now known) offers lots of features to help protect your user’s passwords while you move to passwordless.
Even if you are not planning on going passwordless, we highly recommend implementing these capabilities to help secure your environment. We have had great success and feedback from customers we have done this with. Do reach out to us if user password security is a concern of yours in today’s age of malicious attack attempts. Below are five features we highly recommend and a short summary on each.
SSPR (self-service password reset)
A cloud-based password reset feature allowing users to change their passwords. If you use a hybrid environment, this can also write your user password back to on-premises. A brilliant feature to help reduce helpdesk tickets. Users can use it to change, reset or unlock their passwords.
Entra Password Protection
This feature stops your users from using weak and easy to guess passwords. It scans against a catalogue of bad passwords. You can also add your own banned passwords using a custom list.
Entra Password Protection for Active Directory Domain Services
This feature expands Entra Password Protection and brings the same capabilities to your on-premises environment. Now you can enjoy the power of Entra AD security on-premises as well.
Entra ID Protection: Leaked Credentials
When attackers or cybercriminals obtain your users' passwords, approximately 70% of them will share those passwords online on the dark web or try and sell them on the black market. When this happens, Microsoft obtains these and they are checked against Entra users' passwords. Using conditional access policies and user risk policies, you can protect your users and enforce a password change on next logon should their password have been compromised.
Entra Smart Lockout
Smart lockout helps you to lock out bad actors that are trying to guess your users' passwords. It also detects brute force attacks. It can recognize sign-ins coming from valid users and process them differently. Attackers are denied access and locked out whilst users can continue working.
In conclusion, while Microsoft is paving the way for passwordless authentication, implementing key features in Entra AD, such as SSPR, Entra Password Protection, and Smart Lockout, is crucial for bolstering password security. These measures not only enhance protection against cyber threats but also contribute to a more streamlined and secure user experience. Whether or not passwordless authentication is in your immediate plans, these features offer valuable safeguards against malicious attacks in today's threat landscape.
Written by Phillip Lotter - Senior Consultant.
Comments