Forum Discussion
Azure passowrd protection
We have a hybrid Azure infrastructure with an AD Connector installed on-prem and configured for PTA. We installed the password protection server and registered it with the Azure tenant, then deployed the DC agent on all domain controllers. Both the proxy and agents are operational. We published a few banned words to block in case anyone uses them. For testing, I changed my password to include one of the banned words. To my surprise, I was able to change the password. I checked the corresponding logon server, and the DC event viewer showed that the password was validated, but the banned word was in the password list that Azure set to enforce. Why is it not blocking the change?
1 Reply
If a banned password is still accepted, it typically indicates one of these conditions:
- The DC Agent has not yet downloaded the latest policy version.
- The Password Protection Proxy has not synchronized the updated banned word list with Azure.
- The password passed the strength scoring algorithm — the banned word list is only one part of the evaluation, not the sole blocker.
Check the Domain Controller logs under:
Event Viewer → Applications and Services Logs → Microsoft → AzureADPasswordProtection → Admin
This log will show:
- Which policy version is being enforced.
- Whether the banned word list contains the word you tested.
- Whether the password was blocked or allowed and why.
If the policy version is outdated, force a policy refresh or restart the Proxy service.
