Browse all topics
All guidesGlossary
Microsoft Entra (Identity)

Microsoft Entra password protection

How Entra ID's password protection blocks weak and breached passwords — for both cloud and on-prem AD accounts.

Microsoft Entra password protection evaluates user passwords against a banned-password list during password creation and reset, blocking weak and easily-guessable choices. It runs in two places: on cloud-only accounts (just enabled and works) and on on-premises Active Directory (via deployed agents).

What's blocked

Entra password protection blocks:

  • Microsoft's global banned-password list — passwords known to be common, frequently used in brute-force lists, or appearing in major breaches. Updated continuously by Microsoft.
  • Your custom banned-password list (up to 1,000 entries) — words specific to your organisation that shouldn't be in passwords: your company name, products, executives, locations, sports teams, the city you're in.
  • Common substitutionsPassword1 and P@ssw0rd1 both blocked; PaS$word1 blocked. The fuzzy-match engine catches the obvious tricks.
  • Common-word patterns — repeated characters, sequential numbers, keyboard walks.

The result is dramatically stronger user-chosen passwords without requiring complex composition rules that users hate.

Cloud accounts

For cloud-only accounts, password protection runs in Entra ID automatically — no configuration required. The custom banned-password list is configured in Entra admin center → Identity → Protection → Authentication methods → Password protection.

On-premises AD

For hybrid-identity organisations using on-premises AD, password protection requires deploying agents:

  • Entra Password Protection DC Agent — installed on domain controllers. Validates password changes against the policy.
  • Entra Password Protection Proxy — installed on a separate server (or multiple for HA). The proxy connects to Entra to fetch the policy; DC agents fetch from the proxy locally.

Once deployed, every password change on AD is validated against Entra's policy — including your custom banned list. Users get instant feedback if their chosen password is blocked.

Two enforcement modes:

  • Audit — log but don't block. Used during initial rollout to understand impact.
  • Enforced — block bad passwords. The right end state.

Why this matters

Password complexity rules (length, character classes) are a poor proxy for password strength. Summer2024! passes most complexity rules but is trivially guessable. Password protection blocks specifically the predictably-bad passwords, regardless of whether they meet complexity rules.

For tenants moving toward passwordless authentication (Microsoft Authenticator, FIDO2, passkeys), password protection is still important — even with passwordless, users need a password for fallback, and that password should be strong.

Licensing

Cloud-only password protection requires Entra ID Free (any tenant has it). Custom banned-password list and on-premises AD enforcement require Entra ID P1 (included with Microsoft 365 Business Premium, E3, E5).

For organisations still running on-premises AD with synced identities, deploying the password-protection agents is a one-time effort with permanent benefit. Combined with Microsoft Defender for Identity for compromised-credential detection and Identity Protection for risky-sign-in response, it forms the password-side defence baseline.