Share via

password testing in AAD/Entra

crib bar 781 Reputation points
2024-03-12T10:47:33.2133333+00:00

As part of annual cyber security assessments, there has always been a requirement to run a ‘password strength test’ against all privileged accounts (domain admin etc) in our on-prem AD accounts to look for users who had set weak passwords. This involved extracting the hashes from the NTDS.DIT file. I wondered for ‘cloud only’ accounts, what is the equivalent file in Azure AD/Entra, and how practical is it to get a copy of the equivalent user database file and extract hashes from it? Has anyone had to run a similar test and gone through the process in AAD/Entra? Or alternatively, are there any tools that can scan Entra/AAD for accounts with 'weak' passwords?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,246 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,635 questions
0 comments
Accepted answer
  1. Marcin Policht 18,270 Reputation points MVP
    2024-03-12T11:06:56.1233333+00:00

    In short, you cannot. You can attempt brute force tools, but this would result in the accounts being locked out, so it's not likely the approach you'd want to pursue. Focus on using tools provided by Microsoft, such as password protection ( https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad ) and Indentity Protection ( https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection ) instead

    hth

    Marcin

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest