Default Settings - Password Rule Settings - Password Protection - Enable password protection on Windows Server Active Directory
If set to Yes, password protection is turned on for Active Directory domain controllers when the appropriate agent is installed.
| Name | EnableBannedPasswordCheckOnPremises |
| Control | Default Settings - Password Rule Settings |
| Description | Define the password protection and Smart Lockout configurations that can be used to customize the tenant-wide and object-specific restrictions and allowed behavior |
| Severity | High |
How to fix
Details of configuration item
| Recommendation | Azure identity & access security best practices - Microsoft Learn |
| Configuration | settings |
| Setting | `values |
| Recommended Value | 'True' |
| Default Value | False |
| Graph API Docs | directorySetting resource type - Microsoft Graph beta - Microsoft Learn |
| Graph Explorer | Open in Graph Explorer |
MITRE ATT&CK
| Tactic | Technique | Mitigation |
|---|---|---|
| TA0006 - Credential Access - Credential Access | T1110 - Brute Force | M1018 - User Account Management M1027 - Password Policies |