To make sure that its users rely on unique, difficult to guess passwords, Microsoft says it is dynamically banning common passwords from Microsoft Account and Azure AD system. The company analyzes data breaches looking for the passwords that are used most often and prevents users from having a password that is found on attack lists (cybercriminals use passwords from these leaks to brute-force accounts).
In a blog post, Alex Weinert, Group Program Manager of Azure AD Identity Protection team, explains that Microsoft is seeing more than 10 million accounts being attacked each day, and that this data is used to dynamically update the list of banned passwords. This list is then used to prevent people from choosing a common or similar password. Available in Microsoft Account Service now, the feature will roll out to all Azure AD tenants in the next month.