Skip to main content

Default Settings - Password Rule Settings - Password Protection - Mode

If set to Enforce, users will be prevented from setting banned passwords and the attempt will be logged. If set to Audit, the attempt will only be logged.


Name	BannedPasswordCheckOnPremisesMode
Control	Default Settings - Password Rule Settings
Description	Define the password protection and Smart Lockout configurations that can be used to customize the tenant-wide and object-specific restrictions and allowed behavior
Severity	High

How to fix

Details of configuration item


Recommendation	Microsoft Entra Password Protection - Microsoft Entra ID - Microsoft Learn
Configuration	settings
Setting	`values
Recommended Value	'Enforce'
Default Value	Audit
Graph API Docs	directorySetting resource type - Microsoft Graph beta - Microsoft Learn
Graph Explorer	Open in Graph Explorer

MITRE ATT&CK

Tactic	Technique	Mitigation
TA0006 - Credential Access - Credential Access	T1110 - Brute Force	M1018 - User Account Management M1027 - Password Policies

How to fix
- Details of configuration item
MITRE ATT&CK