Forum Discussion
Better Description of what StrongPasswordRequired does
StrongPasswordRequired $true vs StrongPasswordRequired $false
For example, Strong prevents you using your own username in the password? Anything else?
Thanks!
A little late, but just wanted to complete the thread.
Strong passwords only:
-Requires three out of four of the following:
-Lowercase characters.
-Uppercase characters.
-Numbers (0-9).
-Symbols:
--A – Z
--a - z
--0 – 9
--@ # $ % ^ & * - _ ! + = [ ] { } | \ : ‘ , . ? / ` ~ " ( ) ;
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy
- StevenC365Oct 28, 2018MVP
Also, don't do it! It's shown that adding password complexity doesn't really decrease the risk in your environment. Better to use AzureAD SSPR and AzureAD Password Protection to ensure your users don't pick common passwords.
NIST guidance no longer recommends complex passwords, or regularly changing passwords.
- Oct 28, 2018Yeah! Totally agree! And SSPR is an awesome feature
- Ipsito_DuttaOct 28, 2018Brass Contributor
SSPR will only allow passwords that match the Azure AD Password complexity requirements when the 'strongpasswordrequired' parameter is set to True. Also, the Azure AD password protection proxy feature is in preview and requires AD integration. For in cloud environments only, it won't work.
- StevenC365Oct 29, 2018MVP
Sorry, Ipsito_Dutta that's not correct
See https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad as all cloud only account passwords are matched against Microsoft's list of weak passwords. The custom banned list and on premises integration are preview, not checking against weak passwords. It's easy to prove as well.