Password Management Checklist

Current NIST guidance: minimum 8 characters (15+ for privileged accounts), no forced periodic rotation, no composition rules, screening against known-breached password lists. If your Entra ID or AD policy still mandates 90-day rotation and special characters, update the policy and document the change for SOC 2 / ITGC evidence.

Turn on Entra ID Password Protection (cloud + on-prem agent) or equivalent screening against the HIBP / Pwned Passwords list. Add a custom banned-list entry for company name, product names, and local sports teams — those dominate the helpdesk-reset tail.

Smart lockout: 10 failed attempts, 60-second lockout, increasing on repeat. Tune so password-spray hits the lockout but a user fat-fingering once doesn't get paged. Review the lockout event log for spray patterns from a single source IP.

Conditional Access policy blocking IMAP, POP, SMTP AUTH, and other legacy auth endpoints org-wide. MFA on modern auth doesn't help if basic auth is still reachable — that's the most common bypass we see in IR reports.

Enumerate Domain Admins, Enterprise Admins, Schema Admins, Global Admins, and any group with delegated DCSync rights. Confirm each has a named human owner with a separate non-privileged daily-driver account. Helpdesk technicians should not appear here.

Pull the service-account inventory and flag any password older than 365 days. Migrate to gMSA where the host supports it; for the rest, rotate via the vault and validate every dependent service before closing the change ticket. This is where the "temporary" 6-year-old service account hides.

Phishing-resistant MFA (FIDO2 / WebAuthn / certificate-based) for all Tier 0 and Tier 1 accounts. SMS and voice are not acceptable for admins. Confirm break-glass accounts have hardware tokens stored in the safe with a documented sign-out log.

For Keeper, 1Password Business, Bitwarden, Hudu Vault, or Passportal: verify zero-knowledge architecture, master-password key derivation (PBKDF2 / Argon2 iterations), and that recovery keys are escrowed in a separate physical safe — not the same vault.

MSP-only: each client's credentials live in a dedicated vault or folder with role-scoped access. One technician compromise should not expose 50 clients. Audit cross-client access grants and revoke any that aren't currently needed for active engagements.

Push Intune / GPO to disable Chrome, Edge, and Firefox password save prompts on corporate devices, redirecting users to the sanctioned vault. Caching credentials in the browser profile is what makes laptop theft a credential incident.

Capture the percentage of active users with the vault deployed and at least one credential stored. Coverage under 80% means users are still keeping passwords in spreadsheets or sticky notes — schedule a follow-up campaign with HR and the affected managers.

Send a credential-harvest simulation through KnowBe4 or Hoxhunt focused on M365 / Okta login lookalikes. Repeat-clickers (3+ in 12 months) get manager-notified remediation training rather than another monthly round of generic content.

Confirm Entra ID sign-in logs, AD security events (4624/4625/4740/4771), VPN auth, and vault access logs are flowing into Sentinel / Splunk / Sumo. Spot-check yesterday's events end-to-end; broken log pipelines tend to fail silently.

Review the past 90 days of failed-auth alerts. Tune analytics for low-and-slow spray (one attempt per account across many accounts) and impossible-travel sign-ins. Document tuning decisions for SOC 2 evidence.

Walk the team through a scenario: a Tier 1 admin's session token is stolen via Evilginx. Test session revocation, token invalidation in Entra ID, conditional access enforcement, and customer-comms timing. Ninety minutes; one named scribe captures gaps.