Why Leaked credentials is supported only in Azure AD Password Hash sync?

Ravikiran S 116 Reputation points
2021-05-12T04:37:44.617+00:00

Why Leaked credentials is supported only in Azure AD Password Hash sync? And, not in Azure AD Pass-through authentication?

I read in this documentation that "Risk detections like leaked credentials require the presence of password hashes for detection to occur."
https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#password-hash-synchronization

Would be helpful to understand why we need password hashes for leaked detections to be detected? This should help me understand why leaked credentials is only supported in Azure AD Password Hash Sync

Thank you.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,413 questions
0 comments No comments
{count} vote

Accepted answer
  1. VipulSparsh-MSFT 16,271 Reputation points Microsoft Employee
    2021-05-12T09:02:42.83+00:00

    @Ravikiran S Thanks for reaching out.

    In order for Microsoft / Azure AD to detect any leaked credential, Microsoft must have some way of knowing the users password. Mind you this is not actual password but the hash of password which is synced from password hash sync process which does a 1000 iteration of HMAC-SHA 256 of the password before it is sent to AAD.

    While investigating the leaked credential Microsoft acquires username/password pairs by monitoring many websites which leaks users data, Dark Web.
    Many trusted sources are used to get these data.

    When our service has access to those data, they are run with the same hashing algorithm and are checked with Azure AD users password hashes, if there is a match it is raised as leaked credential.

    Since we have access to password hash only in case of Password hash sync and not the Pass through authentication, that is why leaked credential is possible only case of PHS.

    -----------------------------------------------------------------------------------------------------------------

    If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Bernd Schoepplein 1 Reputation point
    2022-11-15T13:51:04.09+00:00

    What exactly is the algorithm to prove credentials as leaked?

    We did some tests with verification accounts but never got a positive results. We published credentials in the form of xxx@keyman .com and password in PLAIN TEXT. We never received any alerts while market competitors did...

    So can we trust AADIP as reliable source of detection?

    BR
    Bernd

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.