Configuring the custom banned password list
Many organizations find their users create passwords using common local words such as a school, sports team, or famous person, leaving them easy to guess. Microsoft's custom banned password list allows organizations to add strings to evaluate and block, in addition to the global banned password list, when users and administrators attempt to change or reset a password.
Add to the custom list
Configuring the custom banned password list requires an Azure Active Directory Premium P1 or P2 license. For more detailed information about Azure Active Directory licensing, see the Azure Active Directory pricing page.|
- Sign in to the Azure portal and browse to Azure Active Directory, Authentication methods, then Password protection (Preview).
- Set the option Enforce custom list, to Yes.
- Add strings to the Custom banned password list, one string per line
- The custom banned password list can contain up to 1000 words.
- The custom banned password list is case-insensitive.
- The custom banned password list considers common character substitution.
- Example: "o" and "0" or "a" and "@"
- The minimum string length is four characters and the maximum is 16 characters.
- When you have added all strings, click Save.
It may take several hours for updates to the custom banned password list to be applied.
How it works
Each time a user or administrator resets or changes an Azure AD password, it flows through the banned password lists to confirm that it is not on a list. This check is included in any passwords set or changed using Azure AD.
What do users see
When a user attempts to reset a password to something that would be banned, they see the following error message:
Unfortunately, your password contains a word, phrase, or pattern that makes your password easily guessable. Please try again with a different password.