How to view Microsoft Entra's custom banned passwords audit results?

appdict 5 Reputation points
2024-06-06T09:58:42.5233333+00:00

Hi,

In the Microsoft Entra Admin Center:

  1. Go to Authentication Methods.
  2. Select Password Protection.
  3. Click on Custom Banned Password List.

Question:

How can I view the audit results for the custom banned passwords in Microsoft Entra?

Expiration:

I have activated Audit Mode and after about 30 minutes, I changed my password with a banned password on my computer (with Ctrl + Alt + Del). Then I searched in the Microsoft Entra Admin Center under Users -> Audit Logs and looked for my recent password reset. The status is successful (sure, my policy is still in audit mode), but the status reason is empty.

I hoped there would be a log entry like "Audit mode: policy violation."

Background:

Hybrid environment (sync between on-premises Active Directory and Azure Identity).

Two Domain Controllers are in the Azure cloud and two are on-premises.

Password write-back is enabled.

Can anyone explain how to access the custom banned password audit log?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,171 questions
0 comments No comments
{count} vote

2 answers

Sort by: Most helpful
  1. Andy David - MVP 143.8K Reputation points MVP
    2024-06-06T10:43:52.14+00:00

  2. Raja Pothuraju 550 Reputation points Microsoft Vendor
    2024-06-18T07:51:33.7066667+00:00

    Hello @appdict,

    Thank you for your patience, and I apologize for the delay.

    Based on previous comments, I understand that you are testing Microsoft Entra's custom banned passwords feature according to the Microsoft documentation. Link

    Background: You have a hybrid environment with Password write-back enabled.

    Your test: You activated Audit Mode and, after about 30 minutes, attempted to change a user's password to one from the banned list using the Ctrl+Alt+Del method (which directs to the endpoint https://mysignins.microsoft.com/security-info). The password change was allowed, and no failure attempts were logged in the audit logs. The status shows as successful, and the status reason is empty.

    As you mentioned, you haven't installed an agent on the domain controllers, following the guide's instruction to not enable the option for Windows Server Active Directory.

    Your objective was to see how many employees would be affected by this change before activating "Enable password protection on Windows Server Active Directory" in your tenant and then testing.


    To clarify: You have kept the custom banned password list in Audit Mode without enabling "Enable password protection on Windows Server Active Directory" in the Azure portal, and you haven't installed any agent on the domain controllers.

    The "Audit" mode will only work when you have deployed password protection on Windows Server Active Directory. This is why the Audit mode option is greyed out if you haven't enabled password protection on Windows Server Active Directory. Please refer to the screenshot for reference.

    User's image

    Regarding your test results, when you tried to change the user's password to one from the banned list using the Ctrl+Alt+Del method (which directs to https://mysignins.microsoft.com/security-info), the password change was allowed, and no failure attempts were logged in the audit logs.

    I replicated this in my test tenant using two methods with the same configuration you have: Ctrl+Alt+Del and the legacy URL (https://account.activedirectory.windowsazure.com/ChangePassword.aspx). The results were as follows:

    1. Using Ctrl+Alt+Del, which directed me to https://mysignins.microsoft.com/security-info (the modern method), I am able to change the password successfully, and the logs showed success.
    2. Following the steps in the public documentation to test the custom banned password list (https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-configure-custom-password-protection#test-custom-banned-password-list) resulted in an error message when attempting to use a banned password. The error message stated: "Unfortunately, you can't use that password because it contains words or characters that have been blocked by your administrator. Please try again with a different password," as mentioned in the documentation. When I checked the audit log, it showed a failure with the status reason "PasswordBannedByAdminPolicy".

    Based on these test results, it appears that the custom banned password list is only working with the legacy password change URL (https://account.activedirectory.windowsazure.com/ChangePassword.aspx) and not with the modern method (https://mysignins.microsoft.com/security-info)

    Thank you for bringing this to our attention. I have informed my internal team to check with the concerned team to ensure this feature works with the modern password change URL as well, as it is not currently blocking the banned password when using Ctrl+Alt+Del >> Change a password. For a faster resolution, I recommend filing a support ticket with the Microsoft Support team.

    Hope this includes all the information that you were looking for.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    Thanks,
    Raja Pothuraju.

    0 comments No comments