Password Protection and Authentication Troubleshooting
Implement Microsoft Entra Password Protection to ban weak passwords, and develop a systematic approach to investigating and resolving authentication issues.
Stopping weak passwords at the source
”Company2026!” passes every traditional password policy. It’s got uppercase, lowercase, numbers, and a symbol. But it’s still a terrible password — and attackers know it.
Microsoft Entra Password Protection goes beyond length and complexity rules. It bans known weak passwords, common patterns, and lets you add your own banned terms (like your company name). It works for cloud passwords AND on-premises AD passwords (with an agent).
The second part of this module covers what to do when authentication breaks — systematic troubleshooting using sign-in logs, diagnostic tools, and common resolution patterns.
Microsoft Entra Password Protection
How the evaluation works
When a user sets or changes a password, Password Protection:
- Normalises the password — converts to lowercase, substitutes common replacements (@ → a, 0 → o, $ → s, etc.)
- Checks against the global banned list — thousands of known weak passwords
- Checks against your custom banned list — your organisation-specific terms
- Applies fuzzy matching — catches variations within edit distance of banned terms
- Scores the password — each unique token scores a point; needs 5+ points to pass
Custom banned password list
Elena adds these terms for MedGuard Health:
| Banned Term | What It Catches |
|---|---|
medguard | MedGuard1!, M3dgu@rd2024, MedGuardHealth |
patient | Patient123, p@tient!, PatientData2025 |
auckland | Auckland2024, @uckl@nd!, AucklandNZ |
health | Health123!, H3@lth2025 (already on global list variants) |
On-premises deployment
For hybrid environments, Password Protection extends to on-prem AD:
- Install the Proxy service — on a domain-joined server with internet access
- Install the DC Agent — on every domain controller
- Configure mode — Audit (log but don’t block) or Enforce (block weak passwords)
Exam tip: Audit mode first
Always deploy Password Protection in Audit mode first. This logs which passwords would be rejected without actually blocking them. After reviewing the audit data (how many users would be affected, which passwords are weak), switch to Enforce mode.
The exam may ask: “Dev deploys Password Protection for a new client. Users report they can’t change their passwords. What went wrong?” → Check if Enforce mode was enabled without an audit period. Users may be trying common patterns that are now blocked.
Authentication troubleshooting
The sign-in logs — your primary tool
Entra admin center > Monitoring > Sign-in logs shows every authentication attempt with:
| Column | What It Tells You |
|---|---|
| User | Who tried to sign in |
| Application | Which app they were accessing |
| Status | Success or failure (with error code) |
| Conditional Access | Which CA policies were evaluated and their result |
| MFA | Whether MFA was required and how it was satisfied |
| Location | IP address and geographic location |
| Device | OS, browser, compliance status |
| Risk | Sign-in risk level (none, low, medium, high) |
Common authentication errors
| Error Code | Meaning | Common Fix |
|---|---|---|
| AADSTS50126 | Invalid username or password | Verify credentials, check password sync status |
| AADSTS50076 | MFA required | User must complete MFA (check if method is registered) |
| AADSTS53003 | Blocked by Conditional Access | Review CA policy — user/device doesn’t meet conditions |
| AADSTS50105 | User not assigned to application | Assign the user to the enterprise application |
| AADSTS700016 | Application not found | Verify app registration and tenant |
| AADSTS50059 | No tenant information in request | Check sign-in URL includes tenant context |
Dev’s troubleshooting methodology
When a client’s user reports “I can’t sign in,” Dev follows this systematic approach:
- Check sign-in logs — find the specific failed attempt, note the error code
- Check Conditional Access — was a CA policy blocking access? (most common cause at enterprise level)
- Check MFA status — is the user registered for MFA? Did the MFA attempt fail?
- Check account status — is the account enabled? Is it locked? Is the password expired?
- Check sync status — for hybrid users, is the account properly synced? Password hash up to date?
- Check application assignment — is the user assigned to the enterprise app they’re trying to access?
Deep dive: Conditional Access troubleshooting with What If
The What If tool in Conditional Access lets you simulate a sign-in scenario:
- Select a user, application, device platform, location, and risk level
- The tool shows which CA policies would apply and their outcome (grant, block, MFA required)
- This is invaluable for diagnosing “why can’t user X access app Y?”
Access: Entra admin center > Protection > Conditional Access > What If
The exam loves the What If tool. If a question asks “How should Elena determine which CA policy is blocking a user?” → Use the What If tool to simulate the scenario.
Key concepts to remember
Knowledge check
Dev's client has deployed Microsoft Entra Password Protection in Enforce mode. A user tries to change their password to 'NimbleCloud2026!' and it's rejected. The user complains that the password meets complexity requirements. Why was it rejected?
A MedGuard Health nurse reports she can't access a clinical application from her personal phone. Elena checks the sign-in logs and sees error AADSTS53003. What should Elena do next?
🎬 Video coming soon
Next up: Entra Identity Protection and Risk Policies — detecting risky sign-ins and compromised accounts automatically.