Skip to main content

Default Settings - Password Rule Settings - Password Protection - Enable password protection on Windows Server Active Directory

If set to Yes, password protection is turned on for Active Directory domain controllers when the appropriate agent is installed.


Name	EnableBannedPasswordCheckOnPremises
Control	Default Settings - Password Rule Settings
Description	Define the password protection and Smart Lockout configurations that can be used to customize the tenant-wide and object-specific restrictions and allowed behavior
Severity	High

How to fix

Details of configuration item


Recommendation	Azure identity & access security best practices - Microsoft Learn
Configuration	settings
Setting	`values
Recommended Value	'True'
Default Value	False
Graph API Docs	directorySetting resource type - Microsoft Graph beta - Microsoft Learn
Graph Explorer	Open in Graph Explorer

MITRE ATT&CK

Tactic	Technique	Mitigation
TA0006 - Credential Access - Credential Access	T1110 - Brute Force	M1018 - User Account Management M1027 - Password Policies

How to fix
- Details of configuration item
MITRE ATT&CK