SOLABS offers multiple authentication options and linkage with client password policies to ensure maximum security. This article is intended for clients enabling Azure AD as an external SSO provider for QM10.
There are mostly minor differences between Active Directory (AD) and Azure AD, although one we find more important to be aware of on password validation and rules. In the AD DS, when the setting Password must meet complexity requirements is active, a user is unable to use his username in full or in part in the password. This does exist in Azure AD, but under a different name and section named Password Protection.
This feature evaluates the passwords with the following steps:
- Step 1: Normalization - A new password first goes through a normalization process. This technique allows for a small set of banned passwords to be mapped to a much larger set of potentially weak passwords.
- Step 2: Check if the password is considered banned
- Fuzzy matching behavior: Fuzzy matching is used on the normalized password to identify if it contains a password found on either the global or the custom banned password lists. The matching process is based on an edit distance of one (1) comparison.
- Substring matching (on specific terms): Substring matching is used on the normalized password to check for the user's first and last name as well as the tenant's name. Tenant name matching isn't done when validating passwords on an AD DS domain controller for on-premises hybrid scenarios.
More information on the Password Protection feature can be found here.
Why is this relevant to QM10 clients?
The QM10 solution does not allow a user to have his username in full or in part in his password chain of characters, regardless of your password policies in your Azure AD tenant.
We, therefore, recommend that you activate the Password Protection feature in your Azure AD when enabling Azure AD as an external SSO provider for QM10.
And what is there more to note for everyone?
While the Password Protection feature is enabled by default, IT DOES NOT apply to ON-Premises hybrid scenarios. If this is your context, please refer to this article in order to make the required configuration.
Valuable references on password policies:
Password policy settings for AD DS: here.
Password complexity requirements for AD DS: here.
Password Policy settings for Azure AD: here.