Password Monitor auto-enabled for users
Note
Microsoft Edge for Business is now available in Edge stable version 116! Learn more about the new, dedicated work experience with native enterprise grade security, productivity, manageability, and AI built in.
This article describes how admins can turn on Password Monitor in Microsoft Edge for select users. The article also gives the steps to control how monitoring is enabled.
Introduction, benefits, and availability
Password Monitor helps Microsoft Edge users protect their online accounts by informing them if any of their passwords are found in an online leak. Online leaks or data breaches happen when bad actors steal data from third-party apps or websites. To learn more, see the Password Monitor: Safeguarding passwords in Microsoft Edge paper on the Microsoft Research Blog.
Benefits
Given the frequency and scope of these online attacks having this kind of protection is necessary for everyone. Microsoft Edge has the built-in ability to securely check a user's saved passwords against passwords that are known to be compromised and alerts them if a match is found.
Configure group policy for Password Monitor
This feature is controlled via the PasswordMonitorAllowed group policy.
After the policy is enabled, users still need to provide consent to turn on the feature. Consent is required because the feature contains user's sensitive and personal data (passwords). If the feature is disabled using group policy, users can't override this setting.
Enabling Password Monitor for users
After the password monitor policy is enabled, there are different ways this feature is made available to users.
Auto-enablement. Users that are signed-in using their work account (Active Directory or Microsoft Entra ID) and syncing their passwords are auto-enabled for this feature. They'll see the notification in the next screenshot informing them that the feature's turned on.
Getting explicit consent. Users that don't have Password Sync turned on are asked for permission to turn on Password Monitor. They're prompted when the following actions happen:
When a user is saving a new password.
When a user has signed-in to the browser using a saved password.
Direct activation. Users can go to Settings > Passwords anytime and turn the feature On or Off.
User scenarios with Password Monitor auto-enabled
The following table shows scenarios where Password Monitor is auto-enabled and how it works on user devices.
| Scenario | Base conditions | Impact |
|---|---|---|
| 1 with Sync on | Sync ON Feature enabled previously: No Response to Consent UI: None |
Feature enabled by default and a notice bubble is shown 2 min after browser starts. - If sync is turned off after that, the feature is disabled. - Feature turned off before altering sync, sync no longer affects the feature. |
| 2 with Sync on | Sync ON Feature enabled previously: Yes Response to Consent UI: None |
Feature stays the same as user choice. Notice bubble isn't shown and there's no affect of sync change on feature value. |
| 3 with Sync off | Sync Off Feature enabled previously: No Response to Consent UI: None |
Sync is off and the feature stays disabled - At any subsequent point if user turns on the sync without altering the feature: the feature is enabled and auto-enablement notification is shown 2 minutes after Sync is turned on. - If sync is turned off again, the feature is disabled - If the feature is changed before turning on sync, sync no longer affects Password Monitor. |
| 4 with Sync off | Sync OFF Feature enabled previously: Yes Response to Consent UI: None |
Feature stays the same as user choice, notice bubble isn't shown, and there's no effect of sync change on the feature value. |
In addition, if a user signs in using a work account that's restricted via policies for any of the following, the feature is NOT auto-enabled for them:
- Password Monitor is disabled
- Password Sync is disabled
- Sharing of data with Microsoft servers is disabled
Frequently Asked Questions
How can Password Monitor be disabled for my organization?
You can disable Password Monitor for your organization by:
Using the PasswordMonitorAllowed group policy.
Stopping data from being synchronized and sent to Microsoft servers.
Note
Password Monitor can work even if Password Sync is disabled, as long as the user has given explicit consent to turn the feature On or have turned it on themselves via Settings.
What happens if a user for whom the feature has been auto-enabled, turns Password Monitor off via Settings?
The user setting is honored and the feature remains disabled for that user. However, they might be shown a consent dialog again in case they've never previously responded to the consent prompt.
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for