This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 76%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECB%3C/text%3E%3C/svg%3E)
As part of annual cyber security assessments, there has always been a requirement to run a ‘password strength test’ against all privileged accounts (domain admin etc) in our on-prem AD accounts to look for users who had set weak passwords. This involved extracting the hashes from the NTDS.DIT file. I wondered for ‘cloud only’ accounts, what is the equivalent file in Azure AD/Entra, and how practical is it to get a copy of the equivalent user database file and extract hashes from it? Has anyone had to run a similar test and gone through the process in AAD/Entra? Or alternatively, are there any tools that can scan Entra/AAD for accounts with 'weak' passwords?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
In short, you cannot. You can attempt brute force tools, but this would result in the accounts being locked out, so it's not likely the approach you'd want to pursue. Focus on using tools provided by Microsoft, such as password protection ( https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad ) and Indentity Protection ( https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection ) instead
hth
Marcin
