password testing in AAD/Entra

crib bar 531 Reputation points
2024-03-12T10:47:33.2133333+00:00

As part of annual cyber security assessments, there has always been a requirement to run a ‘password strength test’ against all privileged accounts (domain admin etc) in our on-prem AD accounts to look for users who had set weak passwords. This involved extracting the hashes from the NTDS.DIT file. I wondered for ‘cloud only’ accounts, what is the equivalent file in Azure AD/Entra, and how practical is it to get a copy of the equivalent user database file and extract hashes from it? Has anyone had to run a similar test and gone through the process in AAD/Entra? Or alternatively, are there any tools that can scan Entra/AAD for accounts with 'weak' passwords?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,843 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,453 questions
0 comments No comments
{count} votes

Accepted answer
  1. Marcin Policht 10,040 Reputation points MVP
    2024-03-12T11:06:56.1233333+00:00

    In short, you cannot. You can attempt brute force tools, but this would result in the accounts being locked out, so it's not likely the approach you'd want to pursue. Focus on using tools provided by Microsoft, such as password protection ( https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad ) and Indentity Protection ( https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection ) instead


    hth

    Marcin

    0 comments No comments

0 additional answers

Sort by: Most helpful