MicrosoftHi Alex_Simons, congrats on this going GA!
Two questions:
1. Will we ever be able to play with the weak password cutoff and set a value higher than 5 points?
I would really like to set something higher and align with the on-prem password length policy. I can't wait to turn off password complexity, but I don't feel comfortable doing that unless I can also make AAD Password Protection a bit stricter on password strength.
I think the latest guidance (at least from NIST) is telling us to focus on length and ignore complexity, but the third leg of the stool NIST talks about is checking against a banned password list.
2. Will we be able to get more color on the global banned password list?
What it seems a lot of other people do is pull in the HIBP list (like on Github!), which we know has hundreds of millions of password hashes to check against. Clearly you're doing something quite different for the global banned password list, because instead of dropping 10GB of hashes on my SYSVOL share, I only see 100KB of data in the PasswordPolicies folder.
It would be really helpful if we can get some color on what's happening under the hood. I understand you can't share any content of the lists, and clearly the normalizing technique dramatically reduces the data you need to look at vs password hashes which need to have every possible variation.
But basically, can you tell us a bit more than this? (from https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad#global-banned-password-list)
Thanks again! We have been waiting for this to go GA for a while...
