Saturday 30 November 2019

Working with simple passwords in Azure AD.

Microsoft Office 365 (Azure AD) has a default configuration that requires complex passwords that are updated on a regular basis. Complex passwords are 8 to 256 characters that combine at least three of the following: uppercase letters, lowercase letters, numbers and symbols. This level of security is standard practice in a world where everybody has a responsibility to protect their digital identify.

However managing this type of policy in schools can be difficult, especially for early year groups. Complex passwords and enforced password changes are not something a teacher wants to face first thing on a Monday morning.

A policy that uses simple passwords progressing to more complex passcodes for older pupils often works better. Ever since it’s launch Google G Suite for Education has been using eight character simple passwords with a non-expiry policy to protect over 70 million education users, so it's hardly an unproven approach.

Microsoft's support for simple passwords normally involves syncing or deferring to local Active Directory using mechanisms such as Azure AD Connect or Active Directory Federation Server (ADFS) but in a serverless world you don’t have these options, Azure AD is the only directory you have.

One approach is to turn off password complexity for all Azure accounts but that seems a bit drastic. So how do you work with simple passwords in this situation?

Schools that have adopted Microsoft's Modern Management framework can manage Azure user accounts through at least four different web interfaces:

Each platform has a different user interface, navigation model, supports a different sub-set of functions and works in subtly different ways. So the first task is to choose the right portal for the job.

If you plan to do a bulk upload of a new user group using a formatted CSV file then this feature is available in the Azure Portal and the Office 365 Admin portal but not InTune for Education. To add a little more complexity, the format of the import csv file is different and the options vary between the two portals.

Office 365 Admin - Users

As well as creating a user account, the wizard provided by Office 365 Admin gives you the option to specify a licence such as Office 365 A1 but neither the file format or the wizard provides any control over the password format.  All accounts are created with complex passwords. You are also limited to 200 accounts in each import run.

After the import you have an option to download a spreadsheet that lists the accounts created and the passwords supplied so you can inform the users. Don’t miss this step as there’s no way of regenerating the sheet.

If you are in this unfortunate position you can select multiple users in the Office 365 Admin - Users panel and then choose Reset Password which gives you the option of emailing a new password list to an admin account but the result is not a neatly structured spreadsheet that you can use in deployment.

Azure Portal - Azure Azure Directory.

An extended format of the import file includes an option for the initial password but sadly not a licence allocation. Even though you can specify the password it still has to be in a complex format otherwise the import fails with the error.

“The password in the uploaded file does not meet password complexity requirements.”

In summary neither option gives you the chance to bulk create accounts with simple passwords.

Removing password complexity for an account can be achieved using the powershell command listed below. Unfortunately none of the web interfaces gives you this option as a simple checkbox.

Set-MsolUser –UserPrincipalName <UPN of user account>  –StrongPasswordRequired $false

However even after removing the strong password requirement updating the password using the web GUI’s still fails. The Office 365 Admin - Users portal checks for a complex password on data entry and won’t let you move through the wizard and the Azure Portal - Azure Azure Directory forces a temporary password that you can’t control, which of course is complex.

Back to square one - well not quite.

Although the InTune for Education (IT4E) portal provides a limited set of update features one of these is Reset password and this does allow you to set a simple password if the complexity rules allow.

However this option is only available for schools using IT4E and even then it’s hardly practical for a bulk update. Ideally IT4E would provide a simple import feature offering specialised options such as licence allocation, simple passwords, control expiry and a switch to choose whether “change at first logon” is applied.

However until that time, powershell is the answer.

The commands below will update a user account to remove password complexity, set a simple password and ensure the user is not prompted to change at first logon.

Set-MsolUser –UserPrincipalName –StrongPasswordRequired $false
Set-MsolUserPassword -ForceChangePassword $false -UserPrincipalName -NewPassword "ABC123abc​"

Probably the best approach is to create the accounts using the Office 365 Admin - Users portal, which gives you the option to select a licence level and then run the commands above on each account to prepare for student use. If you are working with a whole year group is easier to create a CSV file with the user UPN and the password as a data pair and then run the commands as a batch job.

Install-Module MSOnline
Set-executionpolicy RemoteSigned
$credential = get-credential
Import-Module MSOnline
Connect-MsolService -Credential $credential

Import-Csv students.csv | ForEach-Object { 
Set-MsolUser –UserPrincipalName $_.UserPrincipalName –StrongPasswordRequired $false -PasswordNeverExpires $true
Set-MsolUserPassword -ForceChangePassword $false -UserPrincipalName $_.UserPrincipalName 
-NewPassword $_.Passcode

Example CSV File (students.csv)

UserPrincipalName, Passcode,ABC123abc​

The script also sets the password to never expire. Generally you don’t want students changing passwords 'en masse' during term time.

Any IT admin with experience of the simple yet powerful G Suite user import feature will probably find the multiple Microsoft options a bit confusing at first.  It would certainly make things a lot easier if the InTune for Education interface could offer some of the password management features mentioned above.

However the important point is you can get a simple password policy to work, it's just a shame it's so complex.

1 comment:

  1. A very good article that breaks down how a simple password could be achieved on AAD. Azure B2C could be another approach but still to review that in detail.