Azure AD (Cloud Only) PCI 8.2.5 Compliance?

Andres Felipe Mejia Sanchez 21 Reputation points
2021-03-05T23:21:45.747+00:00

Hi there. For my company i'm using Azure AD (Cloud Only) for users access control. PCI 8.2.5 says that i have to control that users can not user their last 4 passwords, but i see that Azure AD (cloud only) just prevent using the last password, not the 4 before.

In addition to that, when i check the Microsoft PCI AOC it says that this product is PCI compliance, so i do not understand that limitation (configurable password history policy) in the product (Azure AD)

This means that i could be PCI Not Compliance because of this Azure AD limitation.

Do you know if there is other way i can be compliance about PCI 8.2.5? or any compensatory control?

Tnks!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,533 questions
{count} votes

1 answer

Sort by: Most helpful
  1. James Westall 161 Reputation points
    2021-03-06T10:21:00.733+00:00

    Hey @Andres Felipe Mejia Sanchez

    Unfortunately the documented password policy limits are to remember the last password only.

    There is a uservoice suggestion for this item here.

    For your options to implement other controls, you could do the following. Make sure to discuss with your PCI compliance experts first ;)

    Personally, I would suggest going password-less - I use a yubikey & windows hello for all my sign-ins and the experience is great.

    1 person found this answer helpful.