Skip to main content

Default Settings - Password Rule Settings - Password Protection - Mode

If set to Enforce, users will be prevented from setting banned passwords and the attempt will be logged. If set to Audit, the attempt will only be logged.

NameBannedPasswordCheckOnPremisesMode
ControlDefault Settings - Password Rule Settings
DescriptionDefine the password protection and Smart Lockout configurations that can be used to customize the tenant-wide and object-specific restrictions and allowed behavior
SeverityHigh

How to fix

Details of configuration item

RecommendationMicrosoft Entra Password Protection - Microsoft Entra ID - Microsoft Learn
Configurationsettings
Setting`values
Recommended Value'Enforce'
Default ValueAudit
Graph API DocsdirectorySetting resource type - Microsoft Graph beta - Microsoft Learn
Graph ExplorerOpen in Graph Explorer

MITRE ATT&CK

TacticTechniqueMitigation
TA0006 - Credential Access - Credential AccessT1110 - Brute ForceM1018 - User Account Management
M1027 - Password Policies