Forum Discussion

Phillip_from_the_block's avatar
Phillip_from_the_block
Copper Contributor
Jul 19, 2022

AZURE AD Password Protection Requirements

As we prepare to install the Azure AD Password Protection DC Agent. 

 

We have three windows 2008 servers which are not compatible as per the notes below but we are building a 2016 DC. -

 

Do we need to install the Azure AD Password Protection Agent across every DC's or it's ok in just one DC?

 

Please your response will be highly appreciated. 

 

https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-on-premises

1 Reply

  • The answer is Yes, to ensure consistent enforcement of password policies across your domain, you must install the Azure AD Password Protection DC Agent on every domain controller (DC):

    •     The DC Agent only validates passwords on the DC where it's installed.
    •     Windows clients don’t target specific DCs for password changes, so if a password change hits a DC without the agent, the policy won’t be enforced.
    •     Partial deployment is only recommended for testing, not production use.

Resources