Microsoft
MicrosoftHi Daniele De Angelis
Thank you for writing this blog it is very useful for the community.
Based on my research and understanding I have come to the conclusion that a default installation of AAD Password Protection on-prem supplements any existing on-prem password policy. That is, when a password change/set is processed it is first evaluated against existing complexity, length and history rules, that are set in AD; if it passes that stage it is then assessed against the additional functionality introduced by AAD PP. For that reason when introducing the AAD PP service it is recommended to review existing password policies (both your written policy and policy applied by GPO).
Is my logic correct?
Reference:
“Azure AD Password Protection acts as a supplement to the existing AD DS password policies, not a replacement.” - https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-on-premises
"To enforce both the default Windows password filter and the custom password filter, ensure that the Passwords must meet complexity requirements policy setting is enabled. Otherwise, disable the Passwords must meet complexity requirements policy setting.” - https://docs.microsoft.com/en-us/windows/win32/secmgmt/installing-and-registering-a-password-filter-dll
