Configuring the custom banned password list

Azure AD password protection is a public preview feature of Azure Active Directory. For more information about previews, see Supplemental Terms of Use for Microsoft Azure Previews

Many organizations find their users create passwords using common local words such as a school, sports team, or famous person, leaving them easy to guess. Microsoft's custom banned password list allows organizations to add strings to evaluate and block, in addition to the global banned password list, when users and administrators attempt to change or reset a password.

Add to the custom list

Configuring the custom banned password list requires an Azure Active Directory Premium P1 or P2 license. For more detailed information about Azure Active Directory licensing, see the Azure Active Directory pricing page.|

  1. Sign in to the Azure portal and browse to Azure Active Directory, Authentication methods, then Password protection (Preview).
  2. Set the option Enforce custom list, to Yes.
  3. Add strings to the Custom banned password list, one string per line
    • The custom banned password list can contain up to 1000 words.
    • The custom banned password list is case-insensitive.
    • The custom banned password list considers common character substitution.
      • Example: "o" and "0" or "a" and "@"
    • The minimum string length is four characters and the maximum is 16 characters.
  4. When you have added all strings, click Save.

Note

It may take several hours for updates to the custom banned password list to be applied.

Modify the custom banned password list under Authentication Methods in the Azure portal

How it works

Each time a user or administrator resets or changes an Azure AD password, it flows through the banned password lists to confirm that it is not on a list. This check is included in any passwords set or changed using Azure AD.

What do users see

When a user attempts to reset a password to something that would be banned, they see the following error message:

Unfortunately, your password contains a word, phrase, or pattern that makes your password easily guessable. Please try again with a different password.

Next steps

Conceptual overview of the banned password lists

Conceptual overview of Azure AD password protection

Enable on-premises integration with the banned password lists