Forum Discussion
On-Prem Azure Ad Password Protection doesn't work
Even if a user's password contains a banned password, the password change has been accepted.
I have configured on Customer Tenant an On-premises Azure Active Directory Password Protection.
But even if a user's password contains a banned password, the server accepts the banned password.
It says It is compliant!
Troubleshooting shows that all are right.
VerifyProxyConnectivity
VerifyAzureConnectivityViaSpecificProxy
Test-AzureADPasswordProtectionDCAgentHealth -VerifyProxyConnectivity domain.com
Test-AzureADPasswordProtectionDCAgentHealth -VerifyAzureConnectivityViaSpecificProxy domain.com
Troubleshooting DC AGent
DC agent health tests
Test-AzureADPasswordProtectionDCAgentHealth -VerifyPasswordFilterDll
Test-AzureADPasswordProtectionDCAgentHealth -TestAll
Troubelshooting Proxy
Proxy verification of all tests
Test-AzureADPasswordProtectionProxyHealth -TestAll
DC Agent version is the last version. 1.2.177.1
Do you have Ideas why It is not working?
Microsoft says that even if the user's password contains a banned word, the password change will be accepted if it is compliant with password policy complexity 🙂 -
Does anyone have the experience?
Thanks In Advance!
Farhad
- there are several reasons why the weak password still accepted, check the below
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-troubleshoot#weak-passwords-are-being-accepted-but-should-not-be 
TylerRindelsMSMicrosoft
fkh090 - Refer to the "Score Calculation" section in this article: Password protection in Azure Active Directory - Microsoft Entra | Microsoft Learn. Even if you have a banned word in your password, you may get an acceptable password if you have additional characters in your password that bring your score up to 5.
Example:
Banned Word: Password
Password: Password1! (Score: 3 -> Rejected)
Password: P@ssword (Score: 1 -> Rejected)
Password: Passw0rd1!@#$% (Score: 7 -> Accepted)
