Password Protection and Management Capabilities in Microsoft Entra
Why Password Protection and Management Matters
Passwords remain one of the most targeted attack vectors in cybersecurity. Weak, commonly used, or compromised passwords are responsible for a significant percentage of security breaches. Microsoft Entra provides robust password protection and management capabilities to help organizations reduce the risk of password-based attacks, enforce strong password policies, and empower users to manage their credentials securely. Understanding these capabilities is critical for the SC-900 exam and for real-world security implementations.
What Is Password Protection and Management in Microsoft Entra?
Password protection and management in Microsoft Entra (formerly Azure Active Directory) encompasses a suite of features designed to:
1. Prevent the use of weak passwords across cloud and on-premises environments
2. Enable users to securely reset and manage their own passwords
3. Reduce helpdesk burden related to password issues
4. Enforce organizational password policies consistently
The key components include:
1. Microsoft Entra Password Protection
Microsoft Entra Password Protection detects and blocks known weak passwords and their variants. It works by maintaining a global banned password list that Microsoft curates and updates continuously. This list contains commonly used weak passwords and their variations (e.g., "P@ssw0rd", "Password1", etc.).
Organizations can also create a custom banned password list to block passwords specific to their environment, such as company names, product names, locations, or internal terms that attackers could easily guess.
Key points about Microsoft Entra Password Protection:
- The global banned password list is automatically applied to all users in a Microsoft Entra tenant. You cannot disable it.
- The custom banned password list allows up to 1,000 entries and is configured in the Microsoft Entra admin center under Authentication methods > Password protection.
- Password protection uses a normalized matching algorithm that detects variations. For example, if "Contoso" is on the banned list, "C0nt0s0!" and "contoso123" would also be blocked.
- It applies to password changes and password resets.
- It can be extended to on-premises Active Directory environments via Microsoft Entra Password Protection for Windows Server Active Directory, which uses proxy and DC agent components.
2. Self-Service Password Reset (SSPR)
Self-Service Password Reset allows users to reset their own passwords or unlock their accounts without contacting the helpdesk. This is a critical productivity and security feature.
Key points about SSPR:
- SSPR can be enabled for all users, selected groups, or none.
- Users must register authentication methods before they can use SSPR. Methods include: mobile phone, email, security questions, Microsoft Authenticator app, FIDO2 security keys, and more.
- Administrators can require one or two authentication methods for password reset.
- SSPR supports password writeback to on-premises Active Directory when used with Microsoft Entra Connect or Microsoft Entra Cloud Sync. This means a user can reset their cloud password and have the change reflected in the on-premises AD.
- Combined registration allows users to register for both SSPR and Multi-Factor Authentication (MFA) in a single experience.
- Administrators are always enabled for SSPR and are required to use two authentication methods to reset their passwords. Security questions are not available as a method for administrators.
3. Password Writeback
Password writeback is a feature used with Microsoft Entra Connect or Microsoft Entra Cloud Sync that enables:
- Cloud password changes and resets to be written back to the on-premises directory
- On-premises password policy enforcement for cloud-initiated password changes
- Near real-time synchronization of password changes
This is essential for hybrid environments where users need a consistent password experience across cloud and on-premises resources.
How It All Works Together
Here is the typical flow:
1. A user attempts to change or reset their password (either through the cloud portal or SSPR).
2. Microsoft Entra Password Protection evaluates the new password against the global banned password list and the custom banned password list.
3. The password is scored using the normalized matching algorithm. A password must score at least 5 points to be accepted. Each unique character or token in the password contributes to the score.
4. If the password passes validation, it is accepted and (if password writeback is configured) synchronized back to the on-premises Active Directory.
5. If the password fails validation, the user is prompted to choose a different, stronger password.
For on-premises password protection:
- A DC Agent is installed on each domain controller to intercept password changes and validate them.
- A Proxy service is installed on one or more member servers to facilitate communication between the DC agents and Microsoft Entra ID.
- The banned password lists are periodically downloaded from the cloud and cached locally on domain controllers.
Important Concepts for the SC-900 Exam
- Global banned password list: Maintained by Microsoft, automatically enforced, cannot be viewed or edited by tenants.
- Custom banned password list: Configured by administrators, supports up to 1,000 terms, and uses fuzzy matching.
- SSPR reduces helpdesk costs and improves user productivity.
- Password writeback requires Microsoft Entra Connect or Cloud Sync and a Microsoft Entra ID P1 or P2 license.
- SSPR requires at least a Microsoft Entra ID P1 license.
- Password protection for on-premises AD also requires Microsoft Entra ID P1 or P2.
- The scoring algorithm counts banned password tokens as only 1 point, making it harder to simply append characters to a banned word to pass validation.
Exam Tips: Answering Questions on Password Protection and Management Capabilities
1. Know the difference between global and custom banned password lists. The global list is Microsoft-managed and always active. The custom list is admin-configured and optional. You cannot view the global list's contents.
2. Understand SSPR licensing requirements. SSPR requires Microsoft Entra ID P1 or P2. Password writeback also requires P1 or P2. If a question mentions a free tier, SSPR and writeback are not available.
3. Remember that administrators always have SSPR enabled and must use two methods. Security questions are NOT available for admin accounts.
4. Password writeback is the bridge for hybrid scenarios. If a question asks how cloud password resets apply to on-premises AD, the answer involves password writeback through Microsoft Entra Connect or Cloud Sync.
5. Focus on the purpose, not deep technical configuration. SC-900 is a fundamentals exam. You need to understand what these features do and why they matter, not the step-by-step configuration details.
6. Look for keywords in exam questions: "prevent weak passwords" → Password Protection; "users reset their own passwords" → SSPR; "hybrid password sync" → Password Writeback; "banned password" → Global or Custom banned password list.
7. Understand combined registration. If a question mentions a unified experience for registering MFA and SSPR methods, the answer is combined registration.
8. On-premises password protection architecture: Remember the two components — DC Agent (on domain controllers) and Proxy service (on member servers). The proxy communicates with Microsoft Entra ID to download banned password policies.
9. Elimination strategy: If an answer option mentions features that belong to a different service (e.g., Microsoft Defender, Intune), it is likely incorrect when the question is specifically about password management in Entra.
10. Scenario-based questions: For scenarios describing users being locked out or calling the helpdesk frequently for password resets, the solution is SSPR. For scenarios where users are choosing weak or predictable passwords, the solution is Password Protection with custom banned password lists.
By understanding these core concepts, the components involved, and the licensing requirements, you will be well-prepared to answer any SC-900 questions on Password Protection and Management Capabilities in Microsoft Entra.
