Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The Password protection page in Microsoft Defender shows password-related risks across your identity sources in one place. Use it to find leaked credentials, exposed passwords, weak password policies, and configuration issues, and then take action directly from the page. It supports on-premises Active Directory, cloud identity providers like Microsoft Entra ID, and non-Microsoft providers like Okta.
Prerequisites
To access the Password protection page, you need:
- A Microsoft Defender for Identity license, or another license that includes Defender for Identity (such as E5), and a Microsoft Entra ID Protection license.
- A user role with at least Security Reader permissions.
Page layout and identity sources
In the Microsoft Defender portal, select Identities > Password protection.
The page includes a left panel where you select the identity source you want to review. Supported identity sources include:
- Active Directory: Available on all four tabs.
- Microsoft Entra ID: Available on the Leaked Credentials tab.
- Okta: Available on the Password Hygiene and Password Policies tabs.
What the page shows
The page has four tabs:
- Password Hygiene: Shows accounts with password weaknesses that attackers commonly exploit. Each item is a recommendation you can act on to reduce risk.
- Password Policies: Shows password policies from your identity providers side by side. Use this tab to check whether your policies meet current security standards. See Policy information for details.
- Leaked Credentials: Shows accounts with credentials that were found outside your organization, for example on public paste sites or the dark web. From this tab, you can reset passwords or disable accounts, individually or in bulk.
- Exposed Passwords: Shows accounts and settings that store or expose passwords in insecure ways, such as in plain text or in easily discoverable locations. Examples include clear-text credentials in Active Directory attributes (identified using AI-based detection) and reversible passwords in Group Policy Objects (GPOs).
Account information
The Password Hygiene, Leaked Credentials, and Exposed Passwords tabs show account-level data with the following columns:
| Column | Description |
|---|---|
| Name | The display name of the account. |
| SID | The Security Identifier of the account. |
| Entity type | The type of entity (for example, User or Computer). |
| Domain | The Active Directory domain the account belongs to. |
| Service account type | The type of service account, if applicable. |
Policy information
The Password Policies tab shows a different set of columns:
| Column | Description |
|---|---|
| Name | The name of the password policy. |
| Provider | The identity provider that enforces the policy. |
| Maximum password age | The maximum number of days before a password must be changed. |
| Minimum password age | The minimum number of days before a password can be changed. |
| Password history length | The number of previous passwords that can't be reused. |
| Password complexity | Whether password complexity requirements are enabled. |
| Lockout threshold | The number of failed sign-in attempts before the account is locked. |
| Lockout duration | The duration of the account lockout after the threshold is reached. |