Passwords remain a top target for cybercriminals, especially when they’re weak or easy to guess. Microsoft Entra Password Protection helps mitigate this risk by blocking commonly used or compromised credentials. Going a step further, custom banned passwords let you prevent users from picking specific terms—like your company name or known patterns—that attackers might guess.

What Are Custom Banned Passwords?

Microsoft Entra includes a global list of commonly used or compromised passwords that’s updated regularly. You can also add a custom banned password list tailored to your organization’s needs. When users try to create or reset passwords, the system checks against both lists. Any matching or closely resembling terms will be rejected, prompting the user to choose a more secure credential.

Configuring Custom Banned Passwords in Microsoft Entra

Here’s how to set up and manage custom banned passwords in Microsoft Entra:

1. Sign in to the Microsoft Entra admin center using a Global Administrator or Security Administrator account.

2. Browse to Protection > Authentication methods, then Password protection.

3. Set the option for Enforce custom list to Yes.

4. Add words to the custom banned password list. Enter terms that you want to block, such as:

   • Company names or abbreviations.

   • Product lines or team names.

   • Repeated patterns like "12345" or "abcde."

5. To enable the custom banned passwords and your entries, select Save.

Microsoft’s detection algorithm automatically checks for variations of these terms (e.g., adding special characters or numbers).

For hybrid environments that include on-premises Active Directory, you can deploy an agent to extend these checks to on-prem domain controllers. This ensures consistent password rules across your cloud and on-premises environments. To learn more about deploying password ban policies on-premises, refer to Microsoft’s official guidance here:

How to Ban Bad Passwords in On-Premises Deployments

Testing the Configuration

After configuring the custom banned password list, it’s important to test it to ensure it’s functioning correctly. Follow these steps:

1. Go to the My Apps page at https://myapps.microsoft.com

2. In the top-right corner, select your name, then choose View account from the drop-down menu.

3. On the Account page, select Password.

4. On the Change your password window, enter and confirm a new password that's on the custom banned password list you defined in the previous section, then select Submit.

5. An error message is returned that tells you 'You used an invalid word. Choose a different password'.

Best Practices for Managing Custom Banned Passwords

1. Update Regularly: Review the list periodically to add newly relevant terms or remove outdated ones.

2. Educate Users: Communicate the importance of strong passwords and how to create secure passphrases.

3. Collaborate with Stakeholders: Work with HR, IT, and security teams to identify new terms to ban.

Custom banned passwords in Microsoft Entra are a simple yet powerful way to enhance your organization’s security. By proactively blocking predictable terms, you reduce the risk of password-based attacks and improve compliance with industry standards.

Want to take your Microsoft Entra security to the next level? PlexHosted can help. From configuring custom policies to monitoring your environment, we provide the expertise and support you need to stay secure.

Contact us today to learn how we can optimize your password protection strategy!