L1 BIO 16.01 ISO A.12.4.1 CIS 18.9.19.2

Wachtwoordbescherming Azuread

📅 2025-10-30
⏱️ 2 minuten lezen
🔴 Must-Have

💼 Management Samenvatting

Deze security regelen waarborgt de correcte configuratie van beveiligingsinstellingen op Windows endpoints.

Aanbeveling
IMPLEMENT
Risico zonder
High
Risk Score
7/10
Implementatie
2u (tech: 1u)
Van toepassing op:
Windows

Deze instelling is onderdeel van de Windows security baseline en beschermt tegen bekende aanvalsvectoren door het afdwingen van veilige configuraties.

PowerShell Modules Vereist
Primary API: Graph
Connection: Connect-MgGraph
Required Modules: Microsoft.Graph.DeviceManagement

Implementatie

Dit regelen configureert wachtwoordbescherming azuread via Microsoft Intune apparaat configuratie beleid of compliance policies om Windows endpoints te beveiligen volgens security best practices.

Vereisten

m365

Implementatie

Gebruik PowerShell-script password-bescherming-azuread.ps1 (functie Invoke-Monitoring) – Monitoren.

monitoring

Gebruik PowerShell-script password-protection-azuread.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script password-bescherming-azuread.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance en Auditing

Beleid documentatie

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Password Protection Azure AD .DESCRIPTION Verifies Azure AD Password Protection is configured with custom banned passwords .NOTES NL Baseline v2.0 Requires: Azure AD Premium P1 #> #Requires -Version 5.1 [CmdletBinding()] param([switch]$Monitoring) $ErrorActionPreference = 'Stop' Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "Password Protection Azure AD" -ForegroundColor Cyan Write-Host "========================================`n" -ForegroundColor Cyan function Invoke-Monitoring { try { Write-Host " ⚠️ Manual verification required" -ForegroundColor Yellow Write-Host "`n Configuration steps:" -ForegroundColor Cyan Write-Host " 1. Azure AD > Security > Authentication methods" -ForegroundColor Gray Write-Host " 2. Password protection > Configure" -ForegroundColor Gray Write-Host " 3. Set mode to 'Enforced'" -ForegroundColor Gray Write-Host "`n Required settings:" -ForegroundColor Cyan Write-Host " ✓ Enforce custom list: Yes" -ForegroundColor Gray Write-Host " ✓ Custom banned password list: Configured" -ForegroundColor Gray Write-Host " ✓ Enable on Windows Server AD: Yes (for hybrid)" -ForegroundColor Gray Write-Host " ✓ Mode: Enforced (not Audit)" -ForegroundColor Gray Write-Host "`n Security Benefits:" -ForegroundColor Cyan Write-Host " • Blocks common weak passwords" -ForegroundColor Gray Write-Host " • Prevents organization-specific terms" -ForegroundColor Gray Write-Host " • Reduces password spray attacks" -ForegroundColor Gray Write-Host "`n ⚠️ Note: Requires Azure AD Premium P1" -ForegroundColor Yellow Write-Host " Configure via Azure AD portal" -ForegroundColor Gray exit 0 } catch { Write-Host "ERROR: $_" -ForegroundColor Red exit 2 } } try { if ($Monitoring) { Invoke-Monitoring } else { Write-Host "Use: -Monitoring" -ForegroundColor Yellow } } catch { throw } finally { Write-Host "`n========================================`n" -ForegroundColor Cyan } function Invoke-Remediation { <# .SYNOPSIS Herstelt de configuratie naar de gewenste staat .DESCRIPTION Dit is een monitoring-only control, remediation delegeert naar monitoring #> [CmdletBinding()] param() Write-Host "[INFO] Dit is een monitoring-only control" -ForegroundColor Yellow Write-Host "[INFO] Running monitoring check..." -ForegroundColor Cyan Invoke-Monitoring }

Risico zonder implementatie

Risico zonder implementatie
High: No auth tracking.

Management Samenvatting

Schakel in audit logging.