Microsoft
Microsoft
MicrosoftHi A-XR219,
it's a pleasure to answer questions 😉 :
1) You can run the Azure AD Password Protection proxy service on a domain controller for testing, but that domain controller then requires internet connectivity. This connectivity can be a security concern. We recommend this configuration for testing only, so not in Production Environment.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-deploy
2) Yes It works, even if you have only one Azure AD Password Protection Proxy, and if this proxy become unavailable the DC agent continue to use the local cached copy, but fore sure you are not able to receive the most recent updated Password Policy:
================================================
The design of the Azure AD Password Protection DC agent software mitigates the usual problems that are associated with high availability. The Azure AD Password Protection DC agent maintains a local cache of the most recently downloaded password policy. Even if all registered proxy servers become unavailable, the Azure AD Password Protection DC agents continue to enforce their cached password policy.
================================================
Thank you for your questions A-XR219 😉
Daniele