Control: Azure > CIS v2.0 > 01 - Identity and Access Management > 1.07 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization

Configures auditing against a CIS Benchmark item.

Level: 1

Microsoft Azure provides a Global Banned Password policy that applies to Azure administrative and normal user accounts. This is not applied to user accounts that are synced from an on-premise Active Directory unless Azure AD Connect is used and you enable EnforceCloudPasswordPolicyForPasswordSyncedUsers. Please see the list in default values on the specifics of this policy. To further password security, it is recommended to further define a custom banned password policy.

Enabling this gives your organization further customization on what secure passwords are allowed. Setting a bad password list enables your organization to fine-tune its password policy further, depending on your needs. Removing easy-to-guess passwords increases the security of access to your Azure resources.

Resource Types

This control targets the following resource types:

Azure > Active Directory > Directory

Primary Policies

The following policies can be used to configure this control:

In Your Workspace

Developers

Control Type URI

tmod:@turbot/azure-cisv2-0#/control/types/r0107

Category URI

tmod:@turbot/cis#/control/categories/v070404

GraphQL

query controlType(id: "tmod:@turbot/azure-cisv2-0#/control/types/r0107") { … }

query controls(filter: "controlTypeId:'tmod:@turbot/azure-cisv2-0#/control/types/r0107'") { … }

CLI

Get Controls

turbot graphql controls --filter "controlTypeId:tmod:@turbot/azure-cisv2-0#/control/types/r0107"