When you have a Cloud only Tenant with only cloud only accounts, or a hybrid tenant with w/o PHS enabled and cloud only accounts, does Microsoft also check leaked passwords against the password hashes to find risky users?
Cloud Only Risky User Password hashes
@Schmeitz
Thank you for reaching out to us. I am researching on your query, will update the post with my response.
Hello,
Based on my understanding Microsoft will report on leaked credential if your accounts are cloud only or if the password hash sync is enabled :
https://docs.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity#:~:text=The%20Users%20with%20leaked%20credentials,sites%20that%20are%20later%20breached.
"Microsoft finds many of these leaked credentials and will tell you, in this report, if they match credentials in your organization – but only if you enable password hash sync or have cloud-only identities."
Regards,
@Schmeitz
Refer Risk Detection section in this article https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#common-questions
When the Microsoft leaked credentials service acquires user credentials from the dark web, paste sites, or other sources, they are checked against Azure AD users' current valid credentials to find valid matches. For more information about leaked credentials.
Let me know if you have any questions.
2 people are following this question.
