Forum Discussion
Solved
Azure passowrd protection
We have a hybrid Azure infrastructure with an AD Connector installed on-prem and configured for PTA. We installed the password protection server and registered it with the Azure tenant, then deployed...
If a banned password is still accepted, it typically indicates one of these conditions:
- The DC Agent has not yet downloaded the latest policy version.
- The Password Protection Proxy has not synchronized the updated banned word list with Azure.
- The password passed the strength scoring algorithm — the banned word list is only one part of the evaluation, not the sole blocker.
Check the Domain Controller logs under:
Event Viewer → Applications and Services Logs → Microsoft → AzureADPasswordProtection → Admin
This log will show:
- Which policy version is being enforced.
- Whether the banned word list contains the word you tested.
- Whether the password was blocked or allowed and why.
If the policy version is outdated, force a policy refresh or restart the Proxy service.
If a banned password is still accepted, it typically indicates one of these conditions:
- The DC Agent has not yet downloaded the latest policy version.
- The Password Protection Proxy has not synchronized the updated banned word list with Azure.
- The password passed the strength scoring algorithm — the banned word list is only one part of the evaluation, not the sole blocker.
Check the Domain Controller logs under:
Event Viewer → Applications and Services Logs → Microsoft → AzureADPasswordProtection → Admin
This log will show:
- Which policy version is being enforced.
- Whether the banned word list contains the word you tested.
- Whether the password was blocked or allowed and why.
If the policy version is outdated, force a policy refresh or restart the Proxy service.