question

OleFriisNielsen-0580 avatar image
0 Votes"
OleFriisNielsen-0580 asked OleFriisNielsen-0580 commented

Possibility of setting Password protection settings in azure AD via graph api/powershell

I'm looking for a way to change the settings for Password protection in azure via powershell/graph api/azure cli.

The settings I'm looking to change can be found in Azure AD -> Security -> Authentication methods -> Password protection.

azure-ad-graph
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

michev avatar image
1 Vote"
michev answered OleFriisNielsen-0580 commented

Those settings are managed via the so-called "directory settings/templates". To manage them via PowerShell, use the preview module (AzureADPreview) and the Get-AzureADDirectorySettingTemplate/New-AzureADDirectorySetting cmdlet.

Via Graph: https://docs.microsoft.com/en-us/graph/api/directorysetting-post-settings?view=graph-rest-beta&tabs=http

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for the answer, I got it working by using the following commands (Attached so others who find this thread can use them in the future):

 $BannedPasswords = "apple`tbanana" # List of banned passwords, must use `t instead of enter or space
    
 $CurrentSettings = Get-AzureADDirectorySetting
 if ($CurrentSettings | Where-Object {$_.DisplayName -eq "Password Rule Settings"}) {
     Remove-AzureADDirectorySetting -Id $CurrentSettings.Id
 }
 $NewSetting = (Get-AzureADDirectorySettingTemplate | Where-Object {$_.DisplayName -eq "Password Rule Settings"}).CreateDirectorySetting()
    
 $NewSetting.Values = @(@{
     Name = "BannedPasswordCheckOnPremisesMode"
     Value = "Enforce" # alternative is Audit
 };@{
     Name = "EnableBannedPasswordCheckOnPremises"
     Value = $true
 };@{
     Name = "EnableBannedPasswordCheck"
     Value = $true
 };@{
     Name = "LockoutDurationInSeconds"
     Value = 900
 };@{
     Name = "LockoutThreshold"
     Value = 15
 };@{
     Name = "BannedPasswordList"
     Value = $BannedPasswords
 })
    
 $null = New-AzureADDirectorySetting -DirectorySetting $NewSetting
0 Votes 0 ·