Does the Leaked credentials Alert in Azure AD premim look at current user credentials and report on it or does it also report on previously used passwords?

Fadebolt 26 Reputation points

Investigating an alert I received on Leaked Credentials, I wanted to know if this alert is looking at the current user passwords only or if it checks the old passwords set by the user also. Does the alert look for valid usernames or does it just check for the password hashes?

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
760 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,736 questions
0 comments No comments
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 56,236 Reputation points

    Hello @Fadebolt · Welcome to QnA Platform and thanks for your query.

    The Leaked Credential risk detection type indicates that the user's current credentials have been leaked, which are valid and can be used to sign-in. When a user resets his password, the previous credentials become invalid and can't be used for signing in and accessing any resources. Which is why this check is performed against current valid credentials.

    When cybercriminals compromise valid passwords of legitimate users, they often share those credentials publicly on the dark web, paste sites, or by trading and selling the credentials on the black market. When the Microsoft leaked credentials service acquires user credentials from the dark web, paste sites, or other sources, they are checked against Azure AD users' current valid credentials to find valid matches.

    Read more:


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

0 additional answers

Sort by: Most helpful