Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,642 questions
Any help from:
How to view Microsoft Entra's custom banned passwords audit results?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 33%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
appdict
5
Reputation points
Hi,
In the Microsoft Entra Admin Center:
- Go to Authentication Methods.
- Select Password Protection.
- Click on Custom Banned Password List.
Question:
How can I view the audit results for the custom banned passwords in Microsoft Entra?
Expiration:
I have activated Audit Mode and after about 30 minutes, I changed my password with a banned password on my computer (with Ctrl + Alt + Del). Then I searched in the Microsoft Entra Admin Center under Users -> Audit Logs and looked for my recent password reset. The status is successful (sure, my policy is still in audit mode), but the status reason is empty.
I hoped there would be a log entry like "Audit mode: policy violation."
Background:
Hybrid environment (sync between on-premises Active Directory and Azure Identity).
Two Domain Controllers are in the Azure cloud and two are on-premises.
Password write-back is enabled.
Can anyone explain how to access the custom banned password audit log?
2 answers
Sort by: Most helpful
-
Andy David - MVP 145.6K Reputation points MVP2024-06-06T10:43:52.14+00:00 -
appdict 5 Reputation points
2024-06-06T12:31:11.6866667+00:00 that solution doesn't work, because policy is in audit mode. It will work with user logs, if policy is enabled.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Givary-MSFT 30,931 Reputation points Microsoft Employee2024-06-09T17:05:47.1433333+00:00 @appdict Have you checked the audit logs on the domain controllers look for these events 10024/10025/30009/30010.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 97%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJH%3C/text%3E%3C/svg%3E)
Julian Holden 0 Reputation points2024-06-10T07:21:09.4233333+00:00 @Givary-MSFT The agent isn't installed on the domain controllers for me yet as the guide says to not enable the option for Window servers active directory, I have double checked and no logs.
The guide I followed to test is:
https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-configure-custom-password-protection
However I have to leave in audit mode to see how many employees are going to be effected by this change rather than activate and then test. Thanks
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 27%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERP%3C/text%3E%3C/svg%3E)
Raja Pothuraju 2,020 Reputation points Microsoft Vendor2024-06-18T07:51:33.7066667+00:00 Hello @appdict,
Thank you for your patience, and I apologize for the delay.
Based on previous comments, I understand that you are testing Microsoft Entra's custom banned passwords feature according to the Microsoft documentation. Link
Background: You have a hybrid environment with Password write-back enabled.
Your test: You activated Audit Mode and, after about 30 minutes, attempted to change a user's password to one from the banned list using the Ctrl+Alt+Del method (which directs to the endpoint https://mysignins.microsoft.com/security-info). The password change was allowed, and no failure attempts were logged in the audit logs. The status shows as successful, and the status reason is empty.
As you mentioned, you haven't installed an agent on the domain controllers, following the guide's instruction to not enable the option for Windows Server Active Directory.
Your objective was to see how many employees would be affected by this change before activating "Enable password protection on Windows Server Active Directory" in your tenant and then testing.
To clarify: You have kept the custom banned password list in Audit Mode without enabling "Enable password protection on Windows Server Active Directory" in the Azure portal, and you haven't installed any agent on the domain controllers.
The "Audit" mode will only work when you have deployed password protection on Windows Server Active Directory. This is why the Audit mode option is greyed out if you haven't enabled password protection on Windows Server Active Directory. Please refer to the screenshot for reference.
Regarding your test results, when you tried to change the user's password to one from the banned list using the Ctrl+Alt+Del method (which directs to https://mysignins.microsoft.com/security-info), the password change was allowed, and no failure attempts were logged in the audit logs.
I replicated this in my test tenant using two methods with the same configuration you have: Ctrl+Alt+Del and the legacy URL (https://account.activedirectory.windowsazure.com/ChangePassword.aspx). The results were as follows:
- Using Ctrl+Alt+Del, which directed me to https://mysignins.microsoft.com/security-info (the modern method), I am able to change the password successfully, and the logs showed success.
- Following the steps in the public documentation to test the custom banned password list (https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-configure-custom-password-protection#test-custom-banned-password-list) resulted in an error message when attempting to use a banned password. The error message stated: "Unfortunately, you can't use that password because it contains words or characters that have been blocked by your administrator. Please try again with a different password," as mentioned in the documentation. When I checked the audit log, it showed a failure with the status reason "PasswordBannedByAdminPolicy".
Based on these test results, it appears that the custom banned password list is only working with the legacy password change URL (https://account.activedirectory.windowsazure.com/ChangePassword.aspx) and not with the modern method (https://mysignins.microsoft.com/security-info)
Thank you for bringing this to our attention. I have informed my internal team to check with the concerned team to ensure this feature works with the modern password change URL as well, as it is not currently blocking the banned password when using Ctrl+Alt+Del >> Change a password. For a faster resolution, I recommend filing a support ticket with the Microsoft Support team.
Hope this includes all the information that you were looking for.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Thanks,
Raja Pothuraju.-
Raja Pothuraju 2,020 Reputation points Microsoft Vendor
2024-06-21T06:44:41.2666667+00:00 Hello @appdict,
Following up to see if the above answer was helpful. If this answers your query, do click
Accept AnswerandYesfor was this answer helpful. And, if you have any further query do let us know. -
Raja Pothuraju 2,020 Reputation points Microsoft Vendor
2024-06-24T04:40:23.87+00:00 Hello @appdict,
Following up to see if the above answer was helpful. If this answers your query, do click
Accept AnswerandYesfor was this answer helpful. And, if you have any further query do let us know.
Sign in to comment