| Capability ID | Capability Description | Category | Value | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|---|
| EID-PWP-E3 | Password Policy | protect | significant | T1078 | Valid Accounts |
Comments
Accounts should have complex and unique passwords across all systems on the network. Passwords and access keys should be rotated regularly.
License Requirements:
Microsoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2
References
|
| EID-PWP-E3 | Password Policy | protect | partial | T1110 | Brute Force |
Comments
This control provides partial protection for most of this technique's sub-techniques and therefore has been scored as Partial.
References
|
| EID-PWP-E3 | Password Policy | protect | partial | T1110 | Brute Force |
Comments
A password policy is applied to all user accounts that are created and managed directly in Microsoft Entra ID.
By default, an account is locked out after 10 unsuccessful sign-in attempts with the wrong password.
License Requirements:
Microsoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2
References
|
| EID-PWP-E3 | Password Policy | protect | significant | T1110.001 | Password Guessing |
Comments
The password restrictions provided by the default Password policy along with the lockout threshold and duration settings is an effective protection against this Password Guessing sub-technique.
References
|
| EID-PWP-E3 | Password Policy | protect | significant | T1110.001 | Password Guessing |
Comments
A password policy is applied to all user accounts that are created and managed directly in Microsoft Entra ID. By default, an account is locked out after 10 unsuccessful sign-in attempts with the wrong password. Further incorrect sign-in attempts lock out the user in real time for increasing durations of time.
License Requirements:
Microsoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2
References
|
| EID-PWP-E3 | Password Policy | protect | partial | T1110.002 | Password Cracking |
Comments
The password restrictions provided by the default Password policy can provide partial protection against password cracking but a determined adversary with sufficient resources can still be successful with this attack vector.
In regards to Credential Stuffing, the password policy's lockout threshold can be partially effective in mitigating this sub-technique as it may lock the account before the correct credential is attempted. Although with credential stuffing, the number of passwords attempted for an account is often (much) fewer than with Password Guessing reducing the effectiveness of a lockout threshold. This led to its score being assessed as Partial rather than Significant (as was assessed for Password Guessing).
References
|
| EID-PWP-E3 | Password Policy | protect | partial | T1110.002 | Password Cracking |
Comments
A password policy is applied to all user accounts that are created and managed directly in Microsoft Entra ID. By default, an account is locked out after 10 unsuccessful sign-in attempts with the wrong password. Further incorrect sign-in attempts lock out the user in real time for increasing durations of time.
License Requirements:
Microsoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2
References
|
| EID-PWP-E3 | Password Policy | protect | partial | T1110.003 | Password Spraying |
Comments
A password policy is applied to all user accounts that are created and managed directly in Microsoft Entra ID. By default, an account is locked out after 10 unsuccessful sign-in attempts with the wrong password. Further incorrect sign-in attempts lock out the user in real time for increasing durations of time.
License Requirements:
Microsoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2
References
|
| EID-PWP-E3 | Password Policy | protect | partial | T1110.004 | Credential Stuffing |
Comments
The password restrictions provided by the default Password policy can provide partial protection against password cracking but a determined adversary with sufficient resources can still be successful with this attack vector.
In regards to Credential Stuffing, the password policy's lockout threshold can be partially effective in mitigating this sub-technique as it may lock the account before the correct credential is attempted. Although with credential stuffing, the number of passwords attempted for an account is often (much) fewer than with Password Guessing reducing the effectiveness of a lockout threshold. This led to its score being assessed as Partial rather than Significant (as was assessed for Password Guessing).
References
|
| EID-PWP-E3 | Password Policy | protect | partial | T1110.004 | Credential Stuffing |
Comments
A password policy is applied to all user accounts that are created and managed directly in Microsoft Entra ID. By default, an account is locked out after 10 unsuccessful sign-in attempts with the wrong password. Further incorrect sign-in attempts lock out the user in real time for increasing durations of time.
License Requirements:
Microsoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2
References
|
| EID-PWP-E3 | Password Policy | protect | significant | T1586.003 | Cloud Accounts |
Comments
Cloud accounts should have complex and unique passwords across all systems on the network. Passwords and access keys should be rotated regularly. By default, an account is locked out after 10 unsuccessful sign-in attempts with the wrong password. Further incorrect sign-in attempts lock out the user in real time for increasing durations of time.
License Requirements:
Microsoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2
References
|