Enable Azure AD Password Protection and Smart Lockout

When managing users in Azure AD it’s recommended to have a password policy in place however sometimes the best password policy cannot prevent users from using well-known passwords.

Today, I will show you how to enable the new Azure AD password protection and Smart Lockout feature that will prevent users from using an easy password like P@ssw0rd and other well-known passwords.

Password Protection and Smart Lockout allow to do 3 things:

  • Protect accounts in Azure AD and Windows Server Active Directory by preventing users from using passwords from a list of more than 500 of the most commonly used passwords, plus over 1 million character substitution variations of those passwords.
  • Manage Azure AD Password Protection for Azure AD and on-premises Windows Server Active Directory from a unified admin experience in the Azure Active Directory portal.
  • Customize your Azure AD smart lockout settings and specify a list of additional company-specific passwords to block.


To enable the new features, you will need to have an Azure AD Premium 1 or above licenses.

In my case, I have Enterprise Mobility + Security E3 licenses which gives me Azure AD Premium P1

Get Started

To enable Password Protection, I will access Azure AD from the Azure Portal and click on Authentication Methods -> Password Protection

In the password protection screen, I have the option to change Lockout threshold and the Lockout duration.

The main feature is the Custom banned passwords where I can enable it and add password I want to ban on top of the 1 million password that is already banned from Azure AD password protection service

All I need to do is click yes and type the banned passwords

In hybrid mode, I have the option to install an AD agent that will enable the feature for my on-prem AD.