PRACTITIONER GUIDE | IDENTITY SECURITY
Practitioner GuideUpdated 9 min read

Entra ID Password Protection: How to Block Weak and Commonly Sprayed Passwords in Active Directory

100K+
Commonly used weak passwords in Microsoft's global banned list
2
Components to install: DC agent and proxy service
Audit first
Recommended initial mode before switching to Enforced

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Password spray works because complex password policies create predictable patterns: users set 'Company2024!', 'Summer2024#', 'Welcome1!', 'Passw0rd'. Standard AD complexity rules accept all of these. Attackers know this and maintain wordlists of exactly these patterns -- spraying one attempt per account to stay below lockout thresholds. Entra ID Password Protection closes this gap by evaluating not just the structure of a password but whether it matches known weak patterns, variations of your company name, or entries from Microsoft's global breach data. The deployment requires two components: a proxy service (runs on member servers, communicates with Entra ID) and a DC agent (runs on each DC, enforces the policy at password change time).

Architecture: Proxy and DC Agent

The deployment has two parts. Proxy service: install on one or more domain member servers (not DCs) with internet access to Entra ID. The proxy downloads the current banned password policy from Entra ID and makes it available to DC agents on the internal network. Deploy two proxy servers for redundancy. DC agent: install on every domain controller. The DC agent uses a password filter DLL (registered via LSA) that intercepts every password change and validates it against the cached policy from the proxy. The DC agent does not need direct internet access -- it retrieves policy updates from the proxy. Policy cache: DC agents cache the downloaded policy for 30 days and operate in enforcement mode from the cache even if the proxy is temporarily unavailable. Policy updates download automatically from Entra ID via the proxy approximately every 24 hours.

Deploy the Proxy Service

Download the Entra ID Password Protection proxy installer from the Microsoft Download Center (AzureADPasswordProtectionProxySetup.exe). Install on a domain member server (Server 2016 or later) with internet access on port 443 to the Entra ID endpoints. After installation, register the proxy with Entra ID: Import-Module AzureADPasswordProtection; Register-AzureADPasswordProtectionProxy -AccountUpn admin@yourdomain.com. The registration requires a Global Administrator or Authentication Policy Administrator role. Verify the proxy is registered: Get-AzureADPasswordProtectionProxy. Install a second proxy on a different server for redundancy. The DC agents auto-discover all registered proxies via Active Directory service connection points (SCPs) -- no manual proxy configuration is needed on the DC agents.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Deploy the DC Agent

Download the DC agent installer (AzureADPasswordProtectionDCAgentSetup.msi). Install on every domain controller in every domain in the forest. The installer registers a password filter DLL (AzureADPasswordProtectionPlugin.dll) in LSA. A DC reboot is required after installation. After the first reboot, verify the service is running: Get-Service AzureADPasswordProtectionDcAgent. Check that the policy has been downloaded: the DC agent creates a directory at C:\Windows\AzureADPasswordProtection\Policies containing the cached policy files. Policy download requires a reachable proxy -- if the policy directory is empty, the DC cannot reach the proxy. After a policy download, check the event log: Applications and Services Logs > Microsoft > AzureADPasswordProtection > DCAgent > Admin. Event ID 30001 (policy loaded) and 30002 (password accepted in audit mode) confirm operation.

Configure Audit Mode First

In the Entra admin center (entra.microsoft.com), navigate to Protection > Authentication Methods > Password Protection. Set Mode to Audit. In Audit mode, weak passwords are logged but NOT blocked -- users can still set bad passwords. This gives you visibility into how many password changes in your environment would have been rejected before you start blocking users. Run Audit mode for 2 to 4 weeks and review the DC agent event logs: Event ID 30003 (password rejected in audit, would have been blocked) shows you exactly which accounts are setting weak passwords and what patterns they match. This is also the time to populate your custom banned words list. After reviewing the Audit events and resolving any operational concerns, switch Mode to Enforced.

Create a Custom Banned Password List

In the Entra admin center, under Password Protection, expand the Custom Banned Passwords list. Add terms specific to your organization: company name, product names, location names, department names, team names, nicknames, company abbreviations. Entra ID Password Protection performs fuzzy matching and character substitution detection -- adding 'contoso' also blocks 'C0nt0so!', 'Cont0so2024', 'contoso123', and similar variations. It also detects l33t speak substitutions (a=@, e=3, i=1, o=0, s=$). You do not need to enumerate every variation -- the fuzzy match engine handles it. Recommended additions to your custom list: your company short name, building names, city of headquarters, major product or service names, sports teams in your area (extremely common in passwords), and any company-specific terms you discover during the Audit mode review.

The bottom line

Entra ID Password Protection targets the specific patterns that password spray campaigns rely on. The deployment takes two to four hours and does not require Entra ID P1 or P2 licensing -- the on-premises DC agent is included in the base Entra ID free tier. Run Audit mode for a month first, build your custom banned word list, then switch to Enforced. Pair it with Entra ID Smart Lockout for cloud-side protection and Microsoft Defender for Identity alerts on spray patterns.

Frequently asked questions

Does Entra ID Password Protection require Entra ID P1 or P2?

The on-premises DC agent and proxy are included with any Entra ID tier, including the free tier. You do not need P1 or P2 for the basic banned password list enforcement. The custom banned password list feature also works on the free tier. Some reporting and monitoring features in the Entra admin center have premium tier dependencies, but the core enforcement functionality does not.

Does this slow down password changes?

The password filter DLL adds a small evaluation step to the password change process. For interactive password changes (a user pressing Ctrl+Alt+Del and changing their password), the added latency is imperceptible -- under 100 milliseconds. Bulk password operations (Active Directory bulk resets via ADSI or LDAP) may be measurable but are typically still under 1 second per operation. There is no reported production impact on normal operations.

What happens if the proxy is unreachable?

DC agents cache the downloaded policy for 30 days. If the proxy becomes unavailable (server down, network issue), DC agents continue operating from their cached policy for up to 30 days. After 30 days without a policy refresh, DC agents enter a degraded mode where they apply only basic Microsoft default password rules. Deploy at least two proxy servers to avoid this scenario.

Can users see which words are banned?

Users see a generic error: 'The value provided for the new password does not meet the length, complexity, or history requirements of the domain. Please provide a different password.' They are not told specifically that the password matched a banned term. This is intentional -- revealing the banned list would help attackers understand what to avoid. IT help desk staff can query the DC agent event log to see exactly which rule triggered the rejection for a specific password change attempt.

Does Microsoft Entra Password Protection work for on-premises Active Directory environments without Entra ID?

Partially. The DC agent software is installed on-premises and enforces password policies locally, but the DC agent requires communication with on-premises Entra Password Protection Proxy servers to download the latest global banned password list from Microsoft. The proxy servers authenticate to Microsoft's cloud service to retrieve policy updates. This means on-premises enforcement requires internet connectivity from the proxy servers (not the DCs themselves). Fully air-gapped environments cannot receive cloud-sourced policy updates but can use only a custom banned password list defined in a local policy file without cloud connectivity.

How do I measure the impact of Entra Password Protection on password quality after deployment?

Track two metrics before and after deployment. First, password rejection rate: the DC agent logs every password change attempt and whether it was rejected by the password protection policy to the Microsoft-Windows-AzureADPasswordProtection-DCAgent/Admin event log (Event ID 30010 for rejected passwords). Measure the percentage of password change attempts rejected by the banned list versus accepted -- a high rejection rate indicates users were choosing weak or common passwords before the control was in place. Second, time to resolve password change failures: if the rejection rate is high, users need help understanding why their chosen password was rejected (without revealing the banned list). Track helpdesk tickets related to password changes before and after to understand if the control is creating operational overhead. For the custom banned password list, review it quarterly: add terms that appear in credentials found in breach databases for your industry sector, recent ransomware group names, and any organization-specific terms you observe employees attempting to use.

Sources & references

  1. Microsoft: Entra ID Password Protection Deployment
  2. Microsoft: Banned Password List Overview

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.