This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 19%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
A brief introduction:
One of the regular security activities we perform in our company is to extract all the password hashes from the Active Directory and try to crack them in an offline dedicated computer using leaked passwords and other dictionaries in combination with an extensive set of mangling rules.
This process ensures that the passwords being used in our company not only comply with the security policies but also are not easy to guess.
The problem:
One of our branches is starting to use only AAD, so at this moment this security test cannot be performed.
Is there a way to get all the hashes from an Azure AD?
Thanks in advance.
No, there is no way to export them. If you are worried about people using common or leaked passwords, enable the password protection feature: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad
It's not fully customizable, but it's the best you can get with Entra ID. Alternatively, you can use an auth method that redirects the process to your on-premises or federated identity provider, which will give you more freedom.
That service can do part of the work and is better than nothing, but it is a pitty not being able to apply this process, that gives a great peace of mind.