Microsoft on premises and cloud based password ban support.


Basically, in the on-premises mode, a fussy match is performed on a password list (an edit distance of 1).
In the cloud setup, a cloud call is made to validate the password against an unpublished database of vulnerable password.

This MS feature ads a password filter (that is able to reject the password if it is vulnerable).
In order to support this,
1. NetIQ's password filter should not sync the rejected password (it should come after the filter of MS)
2. NMAS (SSPR?) should be able to do the same cloud call to validate the password against the unpublished database of vulnerable password