Skip to main content

Back to Blog

The Cracks in Microsoft’s Entra ID

Are Your Passwords Secure?

Protecting your digital assets against unauthorized access is vital, and passwords remain one of the most ubiquitous yet misused approaches to secure authentication.

Microsoft’s Entra ID, previously known as Azure Active Directory Password Protection, is a recently rebranded and free feature for safeguarding your systems. However, before you heave a sigh of relief—the limitations of this tool are worth considering. Microsoft Entra ID might not be enough to protect your passwords; here’s why.

1. A Static Approach

Entra ID takes a static approach to password protection. That is to say: it compares passwords against a predefined list of banned terms when they’re created or reset. While it’s a start, it misses the dynamism needed to keep up with constant leaks, breaches, and lists of exposed passwords.

Given an enormous number of breaches are related to compromised credentials, a tool that only checks passwords against a static list when they’re created falls short. If a cybercriminal gets hold of a list of compromised credentials (which is very easy), they’re armed with an arsenal of passwords that have been exposed in recent data breaches, but haven’t necessarily been changed by the users. The absence of Dark Web data usage in Microsoft Entra ID’s security measures poses a considerable risk to businesses by not adequately protecting against compromised credentials.

Microsoft’s global banned password list doesn’t include all common dictionary words, either. It’s built on an extraordinarily truncated list of only 500 of the most commonly used passwords and their variants (like words with character substitutions).

If your system isn’t continuously monitoring passwords against these new lists of exposed credentials, it’s far from impervious.

2. All-Access Pass to Your Business Systems

It would be lovely if Microsoft Entra ID alone could protect your passwords, but it’s simply not the case. After all, it can be enabled for all users with enterprise accounts without complex configurations.

But here’s the catch: it leaves a significant hole in your security protocols. While Microsoft suggests that their tool can fend off most password-spraying attacks, the reality is that hackers have moved beyond simple tactics.

They can now test an array of password possibilities, including dictionary attacks and credential stuffing (in addition to password spraying). Instead of trying a handful of commonly used passwords, they employ more sophisticated methods. Recent revelations indicate that Microsoft’s own accounts were found to be using compromised passwords, emphasizing the need for a more robust approach to password protection. Considering the rate at which threat actors techniques evolve, this seems like an oversight for Entra.

3. Confusing Part of the Solution for the Whole

A comprehensive strategy is imperative when it comes to security posture. While identity and access management, multi-factor authentication, and employee training are necessary elements, they don’t negate the need for secure passwords. It’s essential not to rely solely on Microsoft Entra ID (formerly Azure AD Password Protection) as your one-stop-shop for password protection.

Here’s the thing: Microsoft Entra ID lacks the dynamism required to address the constantly changing threat landscape. To truly secure your systems, you need to go beyond a static approach and incorporate solutions that continuously monitor for compromised passwords and dynamically adapt to evolving security threats.

The Risks Are Too Great

In 2023, cybercriminals continue to have a field day. Ransomware attacks are surging, and the resulting and ever-expanding treasure trove of compromised credentials is a threat actors’ dream. Companies of all sizes have fallen prey to cyber attacks; just last month a large Las Vegas based casino and hotel chain reached headlines everywhere as they became victims. Even minor breaches have far-reaching consequences, contributing to the overall landscape of compromised credentials.

The reality is that the technologies we rely on to protect our businesses need to be agile and adapt to this ever-changing environment. However, Microsoft Entra ID seems to be lagging in this respect. It leans on outdated data from previous attacks against its infrastructure, overlooking freely available data from past breaches hackers are all too aware of. When it comes to security, complacency can lead to significant gaps in your defenses.

The costs associated with these breaches are astronomical. IBM’s Cost of a Data Breach Report for 2023 shows these incidents continue to rise, reaching an all-time high of $4.45 million per breach, and these figures don’t account for the ripple effect of original cyberattacks or the costs incurred by organizations later breached with those stolen credentials.

How Entra ID Sidesteps the Obvious

The National Institute of Standards and Technology (NIST) provides guidance on password security. It recommends comparing prospective passwords against a list of commonly used or compromised values, including those from previous breaches. This approach is aimed at identifying weak or compromised passwords and preventing their use.

Surprisingly, Microsoft’s password solution doesn’t attempt to block the use of passwords that have already been exposed in previous breaches. This is a glaring oversight, as these compromised passwords are among the first choices for cybercriminals. Additionally, the list of banned passwords in Microsoft Entra ID lacks comprehensive coverage of common dictionary words, leaving a significant gap in your security.

Long story short, you need continuous password monitoring for true protection.

Another Attack Vector Overlooked by Entra ID

Another growing cyber threat is infostealers, which act as malware-as-a-service. These Trojans quietly steal data over extended periods, infiltrating various user data repositories including documents, VPNs, password managers, and more. Users often store their usernames and passwords in their browsers and password managers, making them prime targets for infostealers.

Microsoft Entra ID allows users to log in from personal devices, which presents an additional attack vector. If users save passwords in plaintext in their web browsers, infostealers can easily swipe this valuable information. The consequences of such attacks can be severe, ranging from unauthorized access to financial exploitation and account takeovers.

An Off-Base “Bad” Password Score Calculator

Entra ID employs a password-scoring system to evaluate password strength and complexity.

In the scoring mechanism, passwords are ‘normalized’ by converting uppercase to lowercase letters and making limited leetspeak character substitutions (for example, 0 would become o). The normalized password is then checked against the banned password lists to calculate a score.

However this system seems misleading. Even passwords containing banned terms may receive passing scores if they meet other criteria, and the inbuilt rules are complicated enough that the average user would be easily confused as to why their password would be repeatedly rejected.

Securing Your Systems…Properly 

While Microsoft Entra ID seems like a convenient tool for protecting your passwords, it has significant limitations. To start, its static approach to password protection, lack of continuous monitoring for compromised credentials, and inadequate coverage of common dictionary words leave your systems at risk.

To enhance your cybersecurity posture, consider complementing Microsoft Entra ID with solutions that offer dynamic and real-time monitoring, ensuring your passwords remain secure in a rapidly evolving threat landscape.

Our solution enables your team to automatically enforce password standards that align with industry recommendations and compliance standards, ensuring your accounts, PII, and data stay secure. Additionally, Enzoic continuously monitors for compromised passwords on the Dark Web and features automated remediation, so user accounts remain protected even if sensitive information is exposed in a breach.

Head to the complete whitepaper to get an in-depth look.