Control: Azure > CIS v4.0 > 06 - Identity Services > 06.08 - Ensure that a 'Custom banned password list' is set to 'Enforce'
Configures auditing against a CIS Benchmark item.
Level: 1
Microsoft Azure applies a default global banned password list to all user and admin accounts that are created and managed directly in Microsoft Entra ID.
The Microsoft Entra password policy does not apply to user accounts that are synchronized from an on-premises Active Directory environment, unless Microsoft Entra ID Connect is used and EnforceCloudPasswordPolicyForPasswordSyncedUsers is enabled.
Review the Default Value section for more detail on the password policy.
For increased password security, a custom banned password list is recommended.
Implementing a custom banned password list gives your organization further control over the password policy. Disallowing easy-to-guess passwords increases the security of your Azure resources.
Resource Types
This control targets the following resource types:
Policies
This control type relies on these other policies when running actions:
- Azure > CIS v4.0 > 06 - Identity Services > 06.08 - Ensure 'Custom banned password list' is set to 'Enforce'
- Azure > CIS v4.0 > 06 - Identity Services > 06.08 - Ensure 'Custom banned password list' is set to 'Enforce' > Attestation
- Azure > CIS v4.0 > Maximum Attestation Duration
- Azure > CIS v4.0
- Azure > CIS v4.0 > 06 - Identity Services
- Azure > CIS v4.0 > 06 - Identity Services > Maximum Attestation Duration
Category
In Your Workspace
Developers
- tmod:@turbot/azure-cisv4-0#/control/types/r0608
- tmod:@turbot/cis#/control/categories/v070404
- turbot graphql controls --filter "controlTypeId:tmod:@turbot/azure-cisv4-0#/control/types/r0608"
Get Controls