question

AndresFelipeMejiaSanchez-3973 avatar image
0 Votes"
AndresFelipeMejiaSanchez-3973 asked JamesTran-MSFT edited

Azure AD (Cloud Only) PCI 8.2.5 Compliance?

Hi there. For my company i'm using Azure AD (Cloud Only) for users access control. PCI 8.2.5 says that i have to control that users can not user their last 4 passwords, but i see that Azure AD (cloud only) just prevent using the last password, not the 4 before.

In addition to that, when i check the Microsoft PCI AOC it says that this product is PCI compliance, so i do not understand that limitation (configurable password history policy) in the product (Azure AD)

This means that i could be PCI Not Compliance because of this Azure AD limitation.

Do you know if there is other way i can be compliance about PCI 8.2.5? or any compensatory control?

Tnks!

azure-ad-sspr
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DR-0849 avatar image DR-0849 ·

Hello,

I am currently trying to navigate compliance with this limitation. How did you end up approaching this situation?

Thanks!

0 Votes 0 ·

1 Answer

JamesWestalll avatar image
1 Vote"
JamesWestalll answered AndresFelipeMejiaSanchez-3973 commented

Hey @AndresFelipeMejiaSanchez-3973

Unfortunately the documented password policy limits are to remember the last password only.

There is a uservoice suggestion for this item here.

For your options to implement other controls, you could do the following. Make sure to discuss with your PCI compliance experts first ;)

Personally, I would suggest going password-less - I use a yubikey & windows hello for all my sign-ins and the experience is great.

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndresFelipeMejiaSanchez-3973 avatar image AndresFelipeMejiaSanchez-3973 ·

Thank you.. understand, but in my case I use azure ad as my principal identity provider to access other clouds (aws, cloudflare, etc). I do not have anything on premise and do not user windows workstations.

0 Votes 0 ·