AzPolicyAdvertizer

last sync: 2025-Jun-23 17:30:06 UTC

Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords

Azure BuiltIn Policy definition

Source Azure Portal
Display name Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords
Id 5b054a0d-39e2-4d53-bea3-9734cad2c69b
Version 2.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
2.1.0
Built-in Versioning [Preview]
Category Guest Configuration
Microsoft Learn
Description Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the passwords after the specified number of unique passwords. Default value for unique passwords is 24
Cloud environments AzureCloud = true
AzureUSGovernment = true
AzureChinaCloud = unknown
Available in AzUSGov The Policy is available in AzureUSGovernment cloud. Version: '1.1.0'
Repository: Azure-Policy 5b054a0d-39e2-4d53-bea3-9734cad2c69b
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
RBAC role(s) none
Rule aliases IF (7)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Compute/imageOffer Microsoft.Compute
Microsoft.Compute
Microsoft.Compute		 virtualMachines
virtualMachineScaleSets
disks		 properties.storageProfile.imageReference.offer
properties.virtualMachineProfile.storageProfile.imageReference.offer
properties.creationData.imageReference.id		 True
True
True

False
False
False
Microsoft.Compute/imagePublisher Microsoft.Compute
Microsoft.Compute
Microsoft.Compute		 virtualMachines
virtualMachineScaleSets
disks		 properties.storageProfile.imageReference.publisher
properties.virtualMachineProfile.storageProfile.imageReference.publisher
properties.creationData.imageReference.id		 True
True
True

False
False
False
Microsoft.Compute/imageSKU Microsoft.Compute
Microsoft.Compute
Microsoft.Compute		 virtualMachines
virtualMachineScaleSets
disks		 properties.storageProfile.imageReference.sku
properties.virtualMachineProfile.storageProfile.imageReference.sku
properties.creationData.imageReference.id		 True
True
True

False
False
False
Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration Microsoft.Compute virtualMachines properties.osProfile.windowsConfiguration True True
Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType Microsoft.Compute virtualMachines properties.storageProfile.osDisk.osType True True
Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType Microsoft.ConnectedVMwarevSphere virtualmachines properties.osProfile.osType True False
Microsoft.HybridCompute/imageOffer Microsoft.HybridCompute machines properties.osName True False
THEN-ExistenceCondition (2)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus Microsoft.GuestConfiguration guestConfigurationAssignments properties.complianceStatus True False
Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash Microsoft.GuestConfiguration guestConfigurationAssignments properties.parameterHash True False
Rule resource types IF (3)
Compliance
The following 21 compliance controls are associated with this Policy definition 'Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords' (5b054a0d-39e2-4d53-bea3-9734cad2c69b)
Rows: 1-10 / 21

Columns:

Close

Columns▼Records:
Use the filters above each column to filter and limit table data. Advanced searches can be performed by using the following operators:
<, <=, >, >=, =, *, !, {, }, ||,&&, [empty], [nonempty], rgx:
Learn more

TableFilter v0.7.3

https://www.tablefilter.com/
©2015-2025 Max Guglielmi
?
Page of 3
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
CCCS IA-5(1) CCCS_IA-5(1) CCCS IA-5(1) Identification and Authentication Authenticator Management | Password-Based Authentication n/a (a) The information system, for password-based authentication, enforces minimum password complexity of case sensitive, minimum of eight characters, and at least one each of upper-case letters, lower-case letters, numbers, and special characters; (b) The information system, for password-based authentication, enforces that at least one of the characters are changed when new passwords are created; (c) The information system, for password-based authentication, stores and transmits only cryptographically-protected passwords; (d) The information system, for password-based authentication, enforces password minimum and maximum lifetime restrictions of one-day minimum, sixty-day maximum; (e) The information system, for password-based authentication prohibits password reuse for 24 generations; and (f) The information system, for password-based authentication allows the use of a temporary password for system logons with an immediate change to a permanent password. link 8
CMMC_2.0_L2 IA.L2-3.5.8 CMMC_2.0_L2_IA.L2-3.5.8 404 not found n/a n/a 4
CMMC_L3 IA.2.079 CMMC_L3_IA.2.079 CMMC L3 IA.2.079 Identification and Authentication Prohibit password reuse for a specified number of generations. Shared Microsoft and the customer share responsibilities for implementing this requirement. Password lifetime restrictions do not apply to temporary passwords. link 5
EU_GDPR_2016_679_Art. 24 EU_GDPR_2016_679_Art._24 EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 Chapter 4 - Controller and processor Responsibility of the controller Shared n/a n/a 306
EU_GDPR_2016_679_Art. 25 EU_GDPR_2016_679_Art._25 EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 Chapter 4 - Controller and processor Data protection by design and by default Shared n/a n/a 306
EU_GDPR_2016_679_Art. 28 EU_GDPR_2016_679_Art._28 EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 Chapter 4 - Controller and processor Processor Shared n/a n/a 306
EU_GDPR_2016_679_Art. 32 EU_GDPR_2016_679_Art._32 EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 Chapter 4 - Controller and processor Security of processing Shared n/a n/a 306
FedRAMP_High_R4 IA-5(1) FedRAMP_High_R4_IA-5(1) FedRAMP High IA-5 (1) Identification And Authentication Password-Based Authentication Shared n/a The information system, for password-based authentication: (a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; (b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number]; (c) Stores and transmits only encrypted representations of passwords; (d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum]; (e) Prohibits password reuse for [Assignment: organization-defined number] generations; and (f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. Supplemental Guidance: This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Encrypted representations of passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. Related control: IA-6. link 15
FedRAMP_Moderate_R4 IA-5(1) FedRAMP_Moderate_R4_IA-5(1) FedRAMP Moderate IA-5 (1) Identification And Authentication Password-Based Authentication Shared n/a The information system, for password-based authentication: (a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; (b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number]; (c) Stores and transmits only encrypted representations of passwords; (d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum]; (e) Prohibits password reuse for [Assignment: organization-defined number] generations; and (f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. Supplemental Guidance: This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Encrypted representations of passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. Related control: IA-6. link 15
IRS_1075_9.3 .7.5 IRS_1075_9.3.7.5 IRS 1075 9.3.7.5 Identification and Authentication Authenticator Management (IA-5) n/a The agency must manage information system authenticators by: a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator b. Establishing initial authenticator content for authenticators defined by the agency c. Ensuring that authenticators have sufficient strength of mechanism for their intended use d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators e. Changing default content of authenticators prior to information system installation f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators g. Changing/refreshing authenticators h. Protecting authenticator content from unauthorized disclosure and modification i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators j. Changing authenticators for group/role accounts when membership to those accounts changes The information system must, for password-based authentication: a. Enforce minimum password complexity of: 1. Eight characters 2. At least one numeric and at least one special character 3. A mixture of at least one uppercase and at least one lowercase letter 4. Storing and transmitting only encrypted representations of passwords b. Enforce password minimum lifetime restriction of one day c. Enforce non-privileged account passwords to be changed at least every 90 days d. Enforce privileged account passwords to be changed at least every 60 days e. Prohibit password reuse for 24 generations f. Allow the use of a temporary password for system logon requiring an immediate change to a permanent password g. Password-protect system initialization (boot) settings link 12
ISO27001-2013 A.9.4.3 ISO27001-2013_A.9.4.3 ISO 27001:2013 A.9.4.3 Access Control Password management system Shared n/a Password management systems shall be interactive and shall ensure quality password. link 22
NIST_SP_800-171_R2_3 .5.8 NIST_SP_800-171_R2_3.5.8 NIST SP 800-171 R2 3.5.8 Identification and Authentication Prohibit password reuse for a specified number of generations. Shared Microsoft and the customer share responsibilities for implementing this requirement. Password lifetime restrictions do not apply to temporary passwords link 4
NIST_SP_800-53_R4 IA-5(1) NIST_SP_800-53_R4_IA-5(1) NIST SP 800-53 Rev. 4 IA-5 (1) Identification And Authentication Password-Based Authentication Shared n/a The information system, for password-based authentication: (a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; (b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number]; (c) Stores and transmits only encrypted representations of passwords; (d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum]; (e) Prohibits password reuse for [Assignment: organization-defined number] generations; and (f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. Supplemental Guidance: This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Encrypted representations of passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. Related control: IA-6. link 15
NIST_SP_800-53_R5 IA-5(1) NIST_SP_800-53_R5_IA-5(1) NIST SP 800-53 Rev. 5 IA-5 (1) Identification and Authentication Password-based Authentication Shared n/a For password-based authentication: (a) Maintain a list of commonly-used, expected, or compromised passwords and update the list [Assignment: organization-defined frequency] and when organizational passwords are suspected to have been compromised directly or indirectly; (b) Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a); (c) Transmit passwords only over cryptographically-protected channels; (d) Store passwords using an approved salted key derivation function, preferably using a keyed hash; (e) Require immediate selection of a new password upon account recovery; (f) Allow user selection of long passwords and passphrases, including spaces and all printable characters; (g) Employ automated tools to assist the user in selecting strong password authenticators; and (h) Enforce the following composition and complexity rules: [Assignment: organization-defined composition and complexity rules]. link 15
op.acc.2 Access requirements op.acc.2 Access requirements 404 not found n/a n/a 61
PCI_DSS_V3.2.1 8.2.3 PCI_DSS_v3.2.1_8.2.3 PCI DSS v3.2.1 8.2.3 Requirement 8 PCI DSS requirement 8.2.3 customer n/a n/a link 6
PCI_DSS_V3.2.1 8.2.5 PCI_DSS_v3.2.1_8.2.5 PCI DSS v3.2.1 8.2.5 Requirement 8 PCI DSS requirement 8.2.5 customer n/a n/a link 6
PCI_DSS_v4.0 8.3.6 PCI_DSS_v4.0_8.3.6 PCI DSS v4.0 8.3.6 Requirement 08: Identify Users and Authenticate Access to System Components Strong authentication for users and administrators is established and managed Shared n/a If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the following minimum level of complexity: • A minimum length of 12 characters (or IF the system does not support 12 characters, a minimum length of eight characters). • Contain both numeric and alphabetic characters. link 9
SWIFT_CSCF_v2021 4.1 SWIFT_CSCF_v2021_4.1 SWIFT CSCF v2021 4.1 Prevent Compromise of Credentials Password Policy n/a Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. link 7
SWIFT_CSCF_v2022 4.1 SWIFT_CSCF_v2022_4.1 SWIFT CSCF v2022 4.1 4. Prevent Compromise of Credentials Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. Shared n/a All application and operating system accounts enforce passwords with appropriate parameters such as length, complexity, validity, and the number of failed login attempts. Similarly, personal tokens and mobile devices enforce passwords or a Personal Identification Number (PIN) with appropriate parameters. link 17
UK_NCSC_CSP 10 UK_NCSC_CSP_10 UK NCSC CSP 10 Identity and authentication Identity and authentication Shared n/a All access to service interfaces should be constrained to authenticated and authorised individuals. link 22
Initiatives usage
Rows: 1-10 / 20
Records:
Use the filters above each column to filter and limit table data. Advanced searches can be performed by using the following operators:
<, <=, >, >=, =, *, !, {, }, ||,&&, [empty], [nonempty], rgx:
Learn more

TableFilter v0.7.3

https://www.tablefilter.com/
©2015-2025 Max Guglielmi
?
Page of 2
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
[Deprecated]: DoD Impact Level 4 8d792a84-723c-4d92-a3c3-e4ed16a2d133 Regulatory Compliance Deprecated BuiltIn true
[Preview]: CMMC 2.0 Level 2 4e50fd13-098b-3206-61d6-d1d78205cb45 Regulatory Compliance Preview BuiltIn true
[Preview]: SWIFT CSP-CSCF v2020 3e0c67fc-8c7c-406c-89bd-6b6bdc986a22 Regulatory Compliance Preview BuiltIn unknown
[Preview]: SWIFT CSP-CSCF v2021 abf84fac-f817-a70c-14b5-47eec767458a Regulatory Compliance Preview BuiltIn unknown
Audit machines with insecure password security settings 095e4ed9-c835-4ab6-9439-b5644362a06c Guest Configuration GA BuiltIn true
Canada Federal PBMM 4c4a5f27-de81-430b-b4e5-9cbd50595a87 Regulatory Compliance GA BuiltIn unknown
CMMC Level 3 b5629c75-5c77-4422-87b9-2509e680f8de Regulatory Compliance GA BuiltIn true
EU General Data Protection Regulation (GDPR) 2016/679 7326812a-86a4-40c8-af7c-8945de9c4913 Regulatory Compliance GA BuiltIn unknown
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn true
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn true
IRS1075 September 2016 105e0327-6175-4eb2-9af4-1fba43bdb39d Regulatory Compliance GA BuiltIn true
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn true
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn true
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn true
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn true
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn true
PCI v3.2.1:2018 496eeda9-8f2f-4d5e-8dfd-204f0a92ed41 Regulatory Compliance GA BuiltIn unknown
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn unknown
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn unknown
UK OFFICIAL and UK NHS 3937f550-eedd-4639-9c5e-294358be442e Regulatory Compliance GA BuiltIn unknown
History
Date/Time (UTC ymd) (i) Change type Change detail
2023-04-25 17:42:14 change Minor (2.0.0 > 2.1.0)
2022-01-28 17:51:01 change Major (1.0.0 > 2.0.0)
2020-09-09 11:24:03 add 5b054a0d-39e2-4d53-bea3-9734cad2c69b
JSON compare
compare mode: version left: version right:
2.0.0 → 2.1.0 RENAMED
@@ -1,18 +1,21 @@
1
  {
2
- "displayName": "Audit Windows machines that allow re-use of the previous 24 passwords",
3
  "policyType": "BuiltIn",
4
  "mode": "Indexed",
5
- "description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the previous 24 passwords",
6
  "metadata": {
7
  "category": "Guest Configuration",
8
- "version": "2.0.0",
9
  "requiredProviders": [
10
  "Microsoft.GuestConfiguration"
11
  ],
12
  "guestConfiguration": {
13
  "name": "EnforcePasswordHistory",
14
- "version": "1.*"
 
 
 
15
  }
16
  },
17
  "parameters": {
18
  "IncludeArcMachines": {
@@ -27,8 +30,17 @@
27
  "false"
28
  ],
29
  "defaultValue": "false"
30
  },
 
 
 
 
 
 
 
 
 
31
  "effect": {
32
  "type": "String",
33
  "metadata": {
34
  "displayName": "Effect",
@@ -244,12 +256,20 @@
244
  "then": {
245
  "effect": "[parameters('effect')]",
246
  "details": {
247
  "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
248
- "name": "EnforcePasswordHistory",
249
  "existenceCondition": {
 
 
250
- "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
251
- "equals": "Compliant"
 
 
 
 
 
 
252
  }
253
  }
254
  }
255
  }
 
1
  {
2
+ "displayName": "Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords",
3
  "policyType": "BuiltIn",
4
  "mode": "Indexed",
5
+ "description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the passwords after the specified number of unique passwords. Default value for unique passwords is 24",
6
  "metadata": {
7
  "category": "Guest Configuration",
8
+ "version": "2.1.0",
9
  "requiredProviders": [
10
  "Microsoft.GuestConfiguration"
11
  ],
12
  "guestConfiguration": {
13
  "name": "EnforcePasswordHistory",
14
+ "version": "1.*",
15
+ "configurationParameter": {
16
+ "EnforcePasswordHistory": "[AccountPolicy]EnforcePasswordHistory;Enforce_password_history"
17
+ }
18
  }
19
  },
20
  "parameters": {
21
  "IncludeArcMachines": {
 
30
  "false"
31
  ],
32
  "defaultValue": "false"
33
  },
34
+ "EnforcePasswordHistory": {
35
+ "type": "String",
36
+ "metadata": {
37
+ "displayName": "Enforce password history",
38
+ "description": "The Enforce password history setting determines the number of unique new passwords that must be associated with a user account before an old password can be reused.",
39
+ "portalReview": "true"
40
+ },
41
+ "defaultValue": "24"
42
+ },
43
  "effect": {
44
  "type": "String",
45
  "metadata": {
46
  "displayName": "Effect",
 
256
  "then": {
257
  "effect": "[parameters('effect')]",
258
  "details": {
259
  "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
260
+ "name": "[concat('EnforcePasswordHistory$pid', uniqueString(policy().assignmentId, policy().definitionReferenceId))]",
261
  "existenceCondition": {
262
+ "allOf": [
263
+ {
264
+ "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
265
+ "equals": "Compliant"
266
+ },
267
+ {
268
+ "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
269
+ "equals": "[base64(concat('[AccountPolicy]EnforcePasswordHistory;Enforce_password_history', '=', parameters('EnforcePasswordHistory')))]"
270
+ }
271
+ ]
272
  }
273
  }
274
  }
275
  }
JSON
api-version=2021-06-01
EPAC 
{7 items}