Default Settings - Password Rule Settings - Password Protection - Mode
If set to Enforce, users will be prevented from setting banned passwords and the attempt will be logged. If set to Audit, the attempt will only be logged.
| Name | BannedPasswordCheckOnPremisesMode |
| Control | Default Settings - Password Rule Settings |
| Description | Define the password protection and Smart Lockout configurations that can be used to customize the tenant-wide and object-specific restrictions and allowed behavior |
| Severity | High |
How to fix
Details of configuration item
| Recommendation | Microsoft Entra Password Protection - Microsoft Entra ID - Microsoft Learn |
| Configuration | settings |
| Setting | `values |
| Recommended Value | 'Enforce' |
| Default Value | Audit |
| Graph API Docs | directorySetting resource type - Microsoft Graph beta - Microsoft Learn |
| Graph Explorer | Open in Graph Explorer |
MITRE ATT&CK
| Tactic | Technique | Mitigation |
|---|---|---|
| TA0006 - Credential Access - Credential Access | T1110 - Brute Force | M1018 - User Account Management M1027 - Password Policies |