Home
%3CLINGO-SUB%20id%3D%22lingo-sub-639208%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-639208%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20write-up%2C%20this%20looks%20great.%20One%20question%20though%2C%20is%20there%20a%20reason%20this%20is%20not%20bundled%20into%20the%20Azure%20AD%20Connect%20software%20that%20most%20of%20us%20already%20have%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-643672%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-643672%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F347756%22%20target%3D%22_blank%22%3E%40DKord%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3Emany%20thanks%20for%20your%20question!%20In%20my%20honest%20opinion%20I%20would%20like%20to%20say......why%20not%3F%20%3A)%3C%2Fimg%3E%3CBR%20%2F%3EBut%20I%20need%20to%20be%20honest%2C%20actually%20this%20two%20services%20(Azure%20AD%20Password%20Protection%20Proxy%20and%20AD%20Connect)%20are%20in%20two%20different%20software%20packages%2C%20so%20%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3Ewe%20will%20see%20in%20the%20future%20if%20something%20will%20change.%20Thanks%20again.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-651318%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-651318%22%20slang%3D%22en-US%22%3E%3CP%3EHow%20does%20this%20DC%20agent%20behaves%2C%20in%20conjunction%20with%20the%26nbsp%3BMicrosoft%20Password%20Change%20Notification%20tool%3F%3CBR%20%2F%3EI'm%20guessing%20there%20is%20no%20issues%2C%20as%20it%20basically%20uses%20the%20same%20methodology%20as%20the%20Azure%20AD%20connect%20sync%2C%20to%20syncronize%20hashes%20to%20the%20cloud%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-652136%22%20slang%3D%22en-US%22%3ERE%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-652136%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F151618%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3E%40Micki%20Wulffeld%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3Ethe%20Microsoft%20Password%20change%20Notification%20Service%20use%20a%20Password%20filter%20(Pcnsflt.dll)%2C%20the%20password%20filter%20is%20used%20to%20obtain%20passwords%20from%20Active%20Directory.%20%3CSTRONG%3EThe%20password%20notification%20filter%20runs%20simultaneously%20with%20other%20filters%20that%20are%20running%20on%20the%20domain%20controller%3C%2FSTRONG%3E%20(this%20means%20that%20can%20work%20with%20the%20Azure%20AD%20Password%20Protection%20DC%20Agent%20Password%20Filter).%3C%2FP%3E%0A%3CP%3EReference%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-identity-manager%2Finfrastructure%2Fmim2016-password-management%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-identity-manager%2Finfrastructure%2Fmim2016-password-management%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlso%20i%20have%20found%20this%3A%3CBR%20%2F%3E%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3C%2FP%3E%0A%3CP%3EQuestion%3A%20Is%20it%20supported%20to%20install%20Azure%20AD%20Password%20Protection%20side%20by%20side%20with%20other%20password-filter-based%20products%3F%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EYes.%20Support%20for%20multiple%20registered%20password%20filter%20dlls%20is%20a%20core%20Windows%20feature%20and%20not%20specific%20to%20Azure%20AD%20Password%20Protection.%3C%2FSTRONG%3E%20All%20registered%20password%20filter%20dlls%20must%20agree%20before%20a%20password%20is%20accepted.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EReference%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-password-ban-bad-on-premises-faq%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-password-ban-bad-on-premises-faq%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESo%20at%20the%20end%2C%20there%20are%20no%20reasons%20why%20they%20should%20not%20work%20together%2C%20but%20if%20you%20will%20find%20an%20issue%2C%20we%20are%20here%20to%20solve%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-657869%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-657869%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20article.%20One%20question.%20We%20have%20an%20empty%20root%20domain%2C%20you%20mention%20the%20proxy%20needs%20to%20be%20a%20member%20of%20the%20root%20domain%3F%20Can%20it%20not%20be%20a%20member%20of%20the%20child%20domain%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-659336%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-659336%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F351822%22%20target%3D%22_blank%22%3E%40AndyWallace12030%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3Ecorrect%3C%2FSPAN%3E%2C%20in%20my%20scenarios%20I%20placed%20the%20Proxy%20in%20the%20root%20domain%20%2C%20but%20if%20you%20already%20have%2C%20for%20example%2C%20the%20Azure%20AD%20Connect%20Servers%20in%20a%20child%20domain%20like%20%3CSTRONG%3EIT.CONTOSO.COM%2C%20%3C%2FSTRONG%3Eyou%20can%20install%20the%20%3CSTRONG%3EAzure%20AD%20Password%20Protection%20proxy%20service%3C%2FSTRONG%3E%20on%20this%20servers%20and%20it%20works%2C%20because%20the%20other%20DCs%20in%20the%20forest%20are%20able%20to%20locate%20them%20via%20the%20%3CSTRONG%3ESCP%3C%2FSTRONG%3E%20(Service%20Connection%20Point)%20published%20in%20AD%2C%20even%20if%20the%20proxy%20are%20in%20the%20Child%20domain.%3C%2FP%3E%0A%3CP%3EBoth%20scenarios%20(Proxy%20in%20the%20root%20or%20proxy%20in%20the%20child%20domain)%20are%20supported.%3C%2FP%3E%0A%3CP%3EMany%20thanks%20for%20your%20question!%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-668854%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-668854%22%20slang%3D%22en-US%22%3E%3CP%3Enice%20post%20Dado%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-675717%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-675717%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20mention%20that%20%22%3CFONT%3EY%3C%2FFONT%3E%3CSPAN%3Eou%20can%20configure%20a%20minimum%20of%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3Eone%20DC%20per%20domain%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3Band%20the%20other%20DCs%20will%20take%20the%20new%20policy%20from%20the%20Sysvol%20replication%22%20but%20then%20state%20%22As%20you%20can%20see%20one%20DC%20in%20the%26nbsp%3B%3CSTRONG%3EIT.CONTOSO.DOMAIN%3C%2FSTRONG%3E%26nbsp%3Bdon't%20have%20the%20DC%20Agent%2C%20because%20the%20change%20password%20can%20happens%20on%20any%20DC%2C%20this%20configuration%26nbsp%3B%3CU%3Eis%20not%20secure%20and%20not%20recommended%3C%2FU%3E.%22.%26nbsp%3B%20%26nbsp%3BThis%20seems%20conflicting%3F%26nbsp%3B%20%26nbsp%3BIs%20the%20one%20DC%20option%20for%20testing%20only%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks!%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-563342%22%20slang%3D%22en-US%22%3EStep-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-563342%22%20slang%3D%22en-US%22%3E%3CP%3EI%20travel%20a%20lot%20in%20Italy%2C%20and%20many%20times%20I%20see%20multiple%20customers%20that%20are%20asking%20for%20the%20same%20requests.%20One%20request%20is%20the%20possibility%20to%20block%20some%20specific%20passwords%20in%20Active%20Directory.%20Unfortunately%20too%20many%20users%20have%26nbsp%3B%3CSTRONG%3EBAD%3C%2FSTRONG%3E%20habits%20and%20use%20the%20company%20name%20in%20the%20password%20field%20for%20example.%20In%20those%20cases%2C%20the%20Security%20team%20wants%20to%20block%20some%20easy%20and%20well%20known%20passwords.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20Active%20Directory%20you%20can%20Enable%20some%20GPO%20that%20can%20help%20you%20to%20implement%20strong%20password%2C%20like%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%26nbsp%3B%3CA%20title%3D%22Minimum%20Password%20Length%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fsecurity-policy-settings%2Fminimum-password-length%3FWT.mc_id%3DITOPSTALK-blog-abartolo%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMinimum%20Password%20Length%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%26nbsp%3B%3CA%20title%3D%22Minimum%20Password%20Age%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fsecurity-policy-settings%2Fminimum-password-age%3FWT.mc_id%3DITOPSTALK-blog-abartolo%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMinimum%20Password%20Age%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%26nbsp%3B%3CA%20title%3D%22Maximum%20password%20Age%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fsecurity-policy-settings%2Fmaximum-password-age%3FWT.mc_id%3DITOPSTALK-blog-abartolo%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMaximum%20password%20Age%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%26nbsp%3B%3CA%20title%3D%22Password%20must%20meet%20complexity%20requirements%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fsecurity-policy-settings%2Fpassword-must-meet-complexity-requirements%3FWT.mc_id%3DITOPSTALK-blog-abartolo%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EPassword%20must%20meet%20complexity%20requirements%3C%2FFONT%3E%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20title%3D%22Enforce%20Password%20Hystory%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fsecurity-policy-settings%2Fenforce-password-history%3FWT.mc_id%3DITOPSTALK-blog-abartolo%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%26nbsp%3BEnforce%20Password%20History%3C%2FFONT%3E%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHowever%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%2C%20with%20a%20minimum%20password%20length%20of%208%20chars%20and%20these%20GPOs%2C%20we%20unfortunately%20can't%20avoid%20the%20use%20of%20some%20well%20known%20Passwords%20like%3A%3C%2FFONT%3E%3CBR%20%2F%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%22P%40%24%24w0rd%22%20%3C%2FFONT%3E%3C%2FSTRONG%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3Eor%3C%2FFONT%3E%3CSTRONG%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%20%22Pippo01!%22%3C%2FFONT%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EAzure%20AD%20Password%20Protection%3C%2FSTRONG%3E%20is%20finally%20what%20we%20need%20to%20enhance%20the%20password%20policies%20in%20your%20organization.%20With%20this%20feature%2C%20you%20can%20use%26nbsp%3B%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3Ethe%20same%20checks%20for%20passwords%20in%20AzureAD%20on%20your%20on-premises%20Active%20Directory%20implementation.%20You%20can%20enforce%3C%2FFONT%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%20both%20the%20%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EMicrosoft%20Global%20Banned%20Passwords%20%3C%2FSPAN%3Eand%20Custom%20banned-passwords%20list%20stored%20in%20Azure%20AD%20tenant.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3E%3CSTRONG%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CFONT%20size%3D%225%22%3EWhat%20are%20the%20Design%20Principles%3F%3C%2FFONT%3E%3CBR%20%2F%3E%26nbsp%3B%3C%2FFONT%3E%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%3B%22%3E%3CSTRONG%3EAzure%20AD%20Password%20Protection%3C%2FSTRONG%3E%20is%20based%20on%20multiple%20design%20principles%20%3CA%20title%3D%22Azure%20AD%20Password%20Protection%20design%20principles%22%20style%3D%22background-color%3A%20transparent%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23146cac%3B%20text-decoration%3A%20underline%3B%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-password-ban-bad-on-premises%23design-principlesunfortunately%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eavailable%20here%3C%2FA%3E%2C%20but%20I%20would%20like%20to%20%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%22%3Eemphasize%20some%20%3C%2FFONT%3Eof%20the%20most%20important%20ones%3A%3C%2FP%3E%0A%3COL%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20margin-bottom%3A%2012px%3B%20margin-top%3A%200px%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%0A%3CLI%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%22%3EYour%20DCs%20never%20talk%20directly%20with%20Azure.%20%3CBR%20%2F%3E(you%20need%20to%20install%20the%20%3CSTRONG%3EAzure%20AD%20Password%20Protection%20Proxy%20Service%3C%2FSTRONG%3E)%3C%2FLI%3E%0A%3CLI%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%22%3EYour%20DCs%20will%20be%20never%20be%20exposed%20on%20the%20internet.%3C%2FLI%3E%0A%3CLI%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%22%3EThere%20are%20no%20ports%20listening%20on%20the%20Domain%20Controllers%20for%20the%20%3CSTRONG%3EAzure%20AD%20Password%20Protection%20DC%20Agent.%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3CLI%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%22%3EAll%20the%20services%20of%20the%20Azure%20AD%20Password%20Protection%20(Proxy%20Service%20and%20DC%20Agent)%20do%20not%20require%20any%20specific%20user%20to%20work%2C%20they%20use%20the%26nbsp%3B%20%3CSTRONG%3ELOCAL%20SYSTEM%3C%2FSTRONG%3E%20account%2C%20but%20you%20will%20need%20a%20Global%20Admin%20of%20your%20tenant%20and%20a%20Domain%20Admins%20to%20register%20the%20Proxy%20Services%20and%20the%20Forest%2C%20but%20only%20one%20time.%3C%2FLI%3E%0A%3CLI%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%22%3EDo%20not%20require%20any%20schema%20update%20or%20specific%20DFL%2FFFL.%3C%2FLI%3E%0A%3CLI%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%22%3EThe%20deployment%20of%20this%20solution%20supports%20the%20incremental%20deployments.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%3B%22%3E%3CFONT%20size%3D%225%22%3E%3CSTRONG%3EHow%20does%20it%20work%3F%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%20style%3D%22text-align%3A%20left%3B%20color%3A%20%23333333%3B%20text-transform%3A%20none%3B%20line-height%3A%201.7142%3B%20text-indent%3A%200px%3B%20letter-spacing%3A%20normal%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20text-decoration%3A%20none%3B%20word-spacing%3A%200px%3B%20white-space%3A%20normal%3B%20box-sizing%3A%20border-box%3B%20orphans%3A%202%3B%20-webkit-text-stroke-width%3A%200px%3B%22%3EA%20user%20requests%20a%20password%20change%20to%20a%20Domain%20Controller.%3C%2FLI%3E%0A%3CLI%20style%3D%22text-align%3A%20left%3B%20color%3A%20%23333333%3B%20text-transform%3A%20none%3B%20line-height%3A%201.7142%3B%20text-indent%3A%200px%3B%20letter-spacing%3A%20normal%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20text-decoration%3A%20none%3B%20word-spacing%3A%200px%3B%20white-space%3A%20normal%3B%20box-sizing%3A%20border-box%3B%20orphans%3A%202%3B%20-webkit-text-stroke-width%3A%200px%3B%22%3EThe%20%3CSTRONG%3EDC%20Agent%20Password%20Filter%20dll%3C%2FSTRONG%3E%2C%20receive%20from%20the%20OS%2C%20the%20password%20validation%20requests%2C%20and%20forward%20them%20to%20the%26nbsp%3B%20%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%22%3E%3CSTRONG%3EAzure%20AD%20Password%20Protection%20DC%20Agent%3C%2FSTRONG%3E%2C%20installed%20on%20the%20DC.%20This%20Agent%20then%20validate%20if%20the%20password%20is%20compliance%20with%20the%20locally%20stored%3C%2FFONT%3E%20Azure%20password%20policy.%3C%2FLI%3E%0A%3CLI%20style%3D%22text-align%3A%20left%3B%20color%3A%20%23333333%3B%20text-transform%3A%20none%3B%20line-height%3A%201.7142%3B%20text-indent%3A%200px%3B%20letter-spacing%3A%20normal%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20text-decoration%3A%20none%3B%20word-spacing%3A%200px%3B%20white-space%3A%20normal%3B%20box-sizing%3A%20border-box%3B%20orphans%3A%202%3B%20-webkit-text-stroke-width%3A%200px%3B%22%3EThe%20Agent%20on%20the%20DC%20every%201h%20locate%20via%20the%20%3CSTRONG%3ESCP%3C%2FSTRONG%3E%20(Service%20Connection%20Point)%20in%20the%20forest%20the%20%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%22%3EAzure%20AD%20Password%20Protection%20Proxy%20Service%3C%2FFONT%3E%3C%2FSTRONG%3E%3C%2FFONT%3E%20to%20download%20a%20fresh%20copy%20of%20the%20%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EAzure%20password%20policy.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20style%3D%22text-align%3A%20left%3B%20color%3A%20%23333333%3B%20text-transform%3A%20none%3B%20line-height%3A%201.7142%3B%20text-indent%3A%200px%3B%20letter-spacing%3A%20normal%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20text-decoration%3A%20none%3B%20word-spacing%3A%200px%3B%20white-space%3A%20normal%3B%20box-sizing%3A%20border-box%3B%20orphans%3A%202%3B%20-webkit-text-stroke-width%3A%200px%3B%22%3EThe%20Agent%20on%20the%20DC%20receives%20the%20new%20version%20of%20the%20Azure%20password%20policy%20from%20the%20proxy%20service%20and%20stores%20it%20in%20the%20%3CSTRONG%3ESysvol%3C%2FSTRONG%3E%20enabling%20this%20new%20policy%20to%20be%20replicated%20to%20all%20other%20DCs%20in%20the%20same%20domain.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%3B%22%3EThe%20Azure%20Password%20policies%20are%20stored%20in%20Sysvol%20as%20shown%20here%3A%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20856px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F113934i383DAA0483476697%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Sysvol_AADPP.png%22%20title%3D%22Sysvol_AADPP.png%22%20%2F%3E%3C%2FSPAN%3E%3CBR%20%2F%3EIt%20is%20not%20necessary%20that%20all%20the%20DCs%20are%20able%20to%20comunicate%20with%20the%20%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%22%3EAzure%20AD%20Password%20Protection%20Proxy%20Server%2C%20%3C%2FFONT%3E%3C%2FSTRONG%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%22%3Ei%3C%2FFONT%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%22%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3Ef%20you%20have%20a%20very%20complex%20Active%20Directory%20environments%2C%20y%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FSTRONG%3Eou%20can%20configure%20a%20minimum%20of%20%3CSTRONG%3Eone%20DC%20per%20domain%3C%2FSTRONG%3E%20to%20be%20able%20to%20connect%20to%20the%20%3CSTRONG%3EAAD%20Password%20Protection%20Proxy%20Servers%2C%20%3C%2FSTRONG%3Eand%20the%20other%20DCs%20will%20take%20the%20new%20policy%20from%20the%20Sysvol%20replication.%20However%2C%20on%20these%20DCs%20you%20will%20see%20some%20warning%20of%20this%20type%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CBLOCKQUOTE%3E%0A%3CDIV%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CSTRONG%3E%3CFONT%20size%3D%222%22%3ELog%20Name%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Microsoft-AzureADPasswordProtection-DCAgent%2FAdmin%3C%2FFONT%3E%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CFONT%20size%3D%222%22%3ESource%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Microsoft-AzureADPasswordProtection-DCAgent%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20size%3D%222%22%3EDate%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%2015%2F05%2F2019%2023%3A37%3A39%3C%2FFONT%3E%3CBR%20%2F%3E%3CSTRONG%3E%3CFONT%20size%3D%222%22%3EEvent%20ID%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%2030018%3C%2FFONT%3E%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CFONT%20size%3D%222%22%3ETask%20Category%3A%20None%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20size%3D%222%22%3ELevel%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Warning%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20size%3D%222%22%3EKeywords%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20size%3D%222%22%3EUser%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20SYSTEM%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20size%3D%222%22%3EComputer%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20ITDC01.IT.CONTOSO.COM%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20size%3D%222%22%3EDescription%3A%3C%2FFONT%3E%3CBR%20%2F%3E%3CSTRONG%3E%3CFONT%20size%3D%222%22%3EOne%20or%20more%20Azure%20AD%20Password%20Protection%20Proxy%20servers%20were%20found%20in%20the%20forest%20but%20this%20machine%20was%20unable%20to%20establish%20network%20connectivity%20to%20any%20of%20them.%3C%2FFONT%3E%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CFONT%20size%3D%222%22%3E%26nbsp%3B%3C%2FFONT%3E%3CFONT%20size%3D%222%22%3EThis%20operation%20will%20be%20run%20periodically%20and%20may%20succeed%20in%20future%20attempts%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%23ff0000%22%20size%3D%222%22%3E%26nbsp%3BThis%20may%20be%20an%20expected%20and%20benign%20condition%20depending%20on%20how%20the%20network%20environment%20is%20configured.%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20size%3D%222%22%3E%26nbsp%3B%3C%2FFONT%3E%3CFONT%20color%3D%22%23ff0000%22%3E%3CFONT%20size%3D%222%22%3EThis%20domain%20controller%20may%20be%20able%20to%20obtain%20updated%20password%20policies%20via%20sysvol%20replication%20if%20other%20domain%20controllers%20do%20have%20proxy%20connectivity.%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FDIV%3E%0A%3C%2FBLOCKQUOTE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%225%22%3E%3CSTRONG%3EHow%20can%20I%20deploy%20the%20Azure%20AD%20Password%20Protection%3F%3C%2FSTRONG%3E%3C%2FFONT%3E%3CFONT%20size%3D%224%22%3E%3CSTRONG%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3EThe%20following%20is%20a%20an%20example%20of%20a%20simple%20scenario%20to%20understand%20how-to%20deploy%20this%20feature%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20883px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F115685i173C981D25A63528%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22AADPP_schema.png%22%20title%3D%22AADPP_schema.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3E%3CFONT%20size%3D%224%22%20style%3D%22box-sizing%3A%20border-box%3B%22%3E%26nbsp%3B%3C%2FFONT%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3ESince%20your%20DCs%20never%20talk%20directly%20with%20Azure%20you%20need%20at%20least%20%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3E2%20%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%22%3EAzure%20AD%20Password%20Protection%20Proxy%20Server%3C%2FFONT%3E%20per%20Forest%3C%2FSTRONG%3E%20for%20high%20availability%20and%20should%20be%20placed%20in%20the%20Root%20Domain.%20%3C%2FFONT%3EThe%20%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%22%3EAzure%20AD%20Password%20Protection%20Proxy%3C%2FFONT%3E%3C%2FSTRONG%3E%3C%2FFONT%3E%20%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3EServers%3C%2FSTRONG%3E%20must%20be%20%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3EWindows%20Server%202012R2%20or%20above%3C%2FSTRONG%3E.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3CLI%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%22%3E%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%3B%22%3EDownload%20the%20%3CSTRONG%3E%3CA%20title%3D%22Azure%20AD%20Password%20Protection%20software%22%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D57071%2520%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20AD%20Password%20Protection%20software%3C%2FA%3E%3C%2FSTRONG%3E%20(Proxy%20and%20DC%20Agent)%3A%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%3B%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%22%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20685px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F113651i092CF723764A1ABA%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22AADPP_software.png%22%20title%3D%22AADPP_software.png%22%20%2F%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3C%2FFONT%3E%3C%2FP%3E%0A%26nbsp%3B%3C%2FLI%3E%0A%3CLI%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%22%3E%26nbsp%3BBe%20sure%20to%20have%20installed%20%3CA%20title%3D%22.NET%20Framework%204.7%22%20href%3D%22https%3A%2F%2Fdotnet.microsoft.com%2Fdownload%2Fdotnet-framework%3FWT.mc_id%3DITOPSTALK-blog-abartolo%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E.NET%20Framework%204.7%3C%2FA%3E%20at%20minimum%20on%20these%20Proxy%20Servers.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3CLI%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%22%3EAll%20the%20server%20DCs%20and%20Proxy%20Services%20require%20the%20%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F2999226%2Fupdate-for-universal-c-runtime-in-windows%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EUniversal%20C%20runtime%20for%20Windows%3C%2FA%3E.%3CBR%20%2F%3E%26nbsp%3B%3C%2FLI%3E%0A%3CLI%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%22%3EInstall%20the%20Proxy%20Service%20(%3CSTRONG%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EAzureADPasswordProtectionProxySetup%3C%2FFONT%3E.exe%3C%2FSTRONG%3E)%20on%20the%20two%20Servers%2C%20joined%20to%20the%20root%20domain%3A%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%200px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F113636i251C4AC0AAC04088%2Fimage-size%2Fsmall%3Fv%3D1.0%26amp%3Bpx%3D200%22%20width%3D%220%22%20height%3D%220%22%20alt%3D%22Install_Proxy_1.png%22%20title%3D%22Install_Proxy_1.png%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20265px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F113642i4379BCC2541C99D4%2Fimage-dimensions%2F265x167%3Fv%3D1.0%22%20width%3D%22265%22%20height%3D%22167%22%20alt%3D%22Install_Proxy_1.png%22%20title%3D%22Install_Proxy_1.png%22%20%2F%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20263px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F113637i4892339CB131849E%2Fimage-dimensions%2F263x166%3Fv%3D1.0%22%20width%3D%22263%22%20height%3D%22166%22%20alt%3D%22Install_Proxy_2.png%22%20title%3D%22Install_Proxy_2.png%22%20%2F%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20266px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F113638iA5CDFD6CB21392FB%2Fimage-dimensions%2F266x168%3Fv%3D1.0%22%20width%3D%22266%22%20height%3D%22168%22%20alt%3D%22Install_Proxy_3.png%22%20title%3D%22Install_Proxy_3.png%22%20%2F%3E%3C%2FSPAN%3E%3CBR%20%2F%3EYou%20can%20also%20complete%20this%20via%20%3CA%20title%3D%22Silent%20installation%20from%20the%20command%20line%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-password-ban-bad-on-premises-deploy%3FWT.mc_id%3DITOPSTALK-blog-abartolo%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESilent%20installation%20from%20the%20command%20line%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EWith%20the%20installation%20of%20the%20Proxy%20Service%20completed%2C%20you%20can%20open%20PowerShell%20and%20can%20see%20a%20new%20module%2C%20%3CSTRONG%3E%3CSPAN%20style%3D%22text-align%3A%20left%3B%20color%3A%20%23333333%3B%20text-transform%3A%20none%3B%20line-height%3A%201.7142%3B%20text-indent%3A%200px%3B%20letter-spacing%3A%20normal%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20text-decoration%3A%20none%3B%20word-spacing%3A%200px%3B%20display%3A%20inline%20!important%3B%20white-space%3A%20normal%3B%20cursor%3A%20text%3B%20orphans%3A%202%3B%20float%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20background-color%3A%20%23ffffff%3B%22%3EAzureADPasswordProtection%2C%20%3C%2FSPAN%3E%3C%2FSTRONG%3Einstalled.%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3E%3CPRE%3EPS%20C%3A%5C%26gt%3B%20Get-Command%20-Module%20AzureADPasswordProtection%0A%0ACommandType%20%20%20%20%20Name%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20ModuleName%0A-----------%20%20%20%20%20----%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20----------%0AFunction%20%20%20%20%20%20%20%20Get-AzureADPasswordProtectionSummaryReport%20%20%20%20%20%20%20%20%20AzureADPasswordProtection%0ACmdlet%20%20%20%20%20%20%20%20%20%20Get-AzureADPasswordProtectionDCAgent%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20AzureADPasswordProtection%0ACmdlet%20%20%20%20%20%20%20%20%20%20Get-AzureADPasswordProtectionProxy%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20AzureADPasswordProtection%0ACmdlet%20%20%20%20%20%20%20%20%20%20Get-AzureADPasswordProtectionProxyConfiguration%20%20%20%20AzureADPasswordProtection%0ACmdlet%20%20%20%20%20%20%20%20%20%20Register-AzureADPasswordProtectionForest%20%20%20%20%20%20%20%20%20%20%20AzureADPasswordProtection%0ACmdlet%20%20%20%20%20%20%20%20%20%20Register-AzureADPasswordProtectionProxy%20%20%20%20%20%20%20%20%20%20%20%20AzureADPasswordProtection%0ACmdlet%20%20%20%20%20%20%20%20%20%20Set-AzureADPasswordProtectionProxyConfiguration%20%20%20%20AzureADPasswordProtection%3C%2FPRE%3E%0A%26nbsp%3B%3CBR%20%2F%3EYou%20can%20also%20open%20the%20event%20log%20and%20can%20see%20new%20Event%20logs%20for%20the%20installed%20Service%3A%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F113881i7E80133CD3565208%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22AADPPP_EventLogs.png%22%20title%3D%22AADPPP_EventLogs.png%22%20%2F%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3CLI%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%22%3EAll%20the%20%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3EDCs%3C%2FSTRONG%3E%20must%20be%20at%20least%20%3CSTRONG%3EWindows%20Server%202012%20or%20above.%20%3C%2FSTRONG%3EYou%20now%20need%20to%20install%20the%20package%20%3CSTRONG%3E%22%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EAzureADPasswordProtectionDCAgentSetup%3C%2FFONT%3E.msi%22%3A%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20302px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F113656i957E3C2A5DDBEF77%2Fimage-dimensions%2F302x234%3Fv%3D1.0%22%20width%3D%22302%22%20height%3D%22234%22%20alt%3D%22Install_Agent_1.png%22%20title%3D%22Install_Agent_1.png%22%20%2F%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20300px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F113655i0E3FC87308C3ADD8%2Fimage-dimensions%2F300x234%3Fv%3D1.0%22%20width%3D%22300%22%20height%3D%22234%22%20alt%3D%22Install_Agent_2.png%22%20title%3D%22Install_Agent_2.png%22%20%2F%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20299px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F113654i5E62FB5B05D783C1%2Fimage-dimensions%2F299x143%3Fv%3D1.0%22%20width%3D%22299%22%20height%3D%22143%22%20alt%3D%22Install_Agent_3_Restart.png%22%20title%3D%22Install_Agent_3_Restart.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSTRONG%3E%3CBR%20%2F%3E%3C%2FSTRONG%3EAs%20you%20can%20see%20the%20DC%20Agents%20installation%20%3CU%3E%3CSTRONG%3Erequire%20the%20reboot%20of%20the%20DC%3C%2FSTRONG%3E%3C%2FU%3E%20and%20also%20in%20this%20case%20if%20you%20want%20you%20can%20use%20the%20%3CA%20title%3D%22Silent%20installation%20with%20the%20command%20line%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-password-ban-bad-on-premises-deploy%3FWT.mc_id%3DITOPSTALK-blog-abartolo%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESilent%20installation%20with%20the%20command%20line%3C%2FA%3E.%20But%20please%20remember%20to%20put%20the%20%3CSTRONG%3E%2Fnorestart%20%3C%2FSTRONG%3Eparameter%20to%20avoid%20the%20immediate%20restart%20of%20the%20DC.%3CBR%20%2F%3E%3CBR%20%2F%3EAfter%20the%20installation%2C%20on%20the%20DC%20you%20will%20see%20a%20new%20Eventlog%20for%20the%20agent%3A%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20740px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F113893iF1B5B3CC2B92062C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22AADPPDCA_Eventlog.png%22%20title%3D%22AADPPDCA_Eventlog.png%22%20%2F%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3CLI%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%22%3EBy%20default%20the%26nbsp%3B%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20bold%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%22%3EAzure%20AD%20Password%20Protection%20DC%20Agent%3C%2FFONT%3E%3C%2FSTRONG%3E%20use%20the%20%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3ETCP%20port%20135%20and%20the%20dynamic%20ports%20range%3C%2FSTRONG%3E%20to%20connect%20to%20the%20%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%22%3EAzure%20AD%20Password%20Protection%20Proxy%3C%2FFONT%3E%3C%2FSTRONG%3E%3C%2FFONT%3E%20%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3EServers%2C%3C%2FSTRONG%3E%20%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%22%3Eso%20this%20ports%20must%20be%20open%20at%20the%20network%20level%2C%20but%20if%20you%20prefer%2C%20you%20can%20configure%20the%20proxy%20Service%20to%20Listen%20on%20a%20specific%20ports.%3CBR%20%2F%3E%3C%2FFONT%3E%3C%2FFONT%3E%0A%3CPRE%3ESet-AzureADPasswordProtectionProxyConfiguration%20%E2%80%93StaticPort%20%26lt%3Bportnumber%26gt%3B%3C%2FPRE%3E%0A%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%22%3E%3CU%3EThis%20command%20must%20be%20executed%20on%20each%20proxy%20Server%2C%20and%20require%20the%20restart%20of%20the%20Proxy%20Service.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FU%3E%3C%2FFONT%3E%3CU%3E%3C%2FU%3E%3CU%3E%3C%2FU%3E%3C%2FLI%3E%0A%3CLI%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%22%3EYou%20need%20to%20register%20on%20your%20Azure%20AD%20Tenant%20the%20two%20Proxy%20Server%20with%20a%20simple%20PowerShell%20cmdlet%20on%20each%20proxy%3A%3CBR%20%2F%3E%0A%3CPRE%3ERegister-AzureADPasswordProtectionProxy%20-AccountUpn%20'admin%40%26lt%3Byourtenant%26gt%3B.onmicrosoft.com'%3C%2FPRE%3E%0AThis%20registration%20of%20the%20Proxy%20Service%20is%20necessary%20only%20one%20time%2C%20for%20the%20first%20authentication%20on%20the%20tenant.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3CLI%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%22%3EYou%20need%20to%20register%20the%20Forest%20on%20Azure%20AD%20so%20this%20command%20must%20be%20lunched%20from%20only%20one%20of%20the%20Proxy%20Servers%3A%3CBR%20%2F%3E%0A%3CPRE%3E%23%20IF%20YOU%20ARE%20CONNECTED%20TO%20THE%20PROXY%20SERVER%20WITH%20ADMIN%20CREDENTIAL%0A%23%20OF%20THE%20ROOT%20DOMAIN%2C%20THEN%20YOU%20CAN%20USE%20THIS%20COMMAND%3A%20%0ARegister-AzureADPasswordProtectionForest%20-AccountUpn%20'admin%40%26lt%3Byourtenant%26gt%3B.onmicrosoft.com'%20%0A%0A%23%20OTHERWISE%20YOU%20CAN%20SPECIFY%20THE%20ROOT%20DOMAIN%20CREDENTIALS%3A%20%0ARegister-AzureADPasswordProtectionForest%20-AccountUpn%20'admin%40%26lt%3Byourtenant%26gt%3B.onmicrosoft.com'%20-ForestCredential%20%24(Get-Credential)%3C%2FPRE%3E%0AThis%20command%20require%20the%20a%20Global%20Admin%20of%20the%20tenant%20and%20a%20Domain%20Admins%20of%20the%20Root%20Domain.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3CLI%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%22%3EYou%20can%20now%20connect%20to%20the%20%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fportal.azure.com%3C%2FA%3E%20and%20configure%20the%20Azure%20AD%20Password%20Protection%3A%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F115681i26FBA24B153A6199%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Azure_AD_PP_Portal_Config.png%22%20title%3D%22Azure_AD_PP_Portal_Config.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSTRONG%3ENOTE%3A%20%3C%2FSTRONG%3Ekeep%20in%20mind%20that%20when%20you%20write%20in%20the%20custom%20banned%20password%20the%20word%20%22%3CSTRONG%3Efabrikam%3C%2FSTRONG%3E%22%2C%20you%20are%20adding%20more%20than%20that%2C%20also%20the%20%3CSTRONG%3E%22f%40br1k%40m%22%3C%2FSTRONG%3E%20is%20banned!%20So%20we%20made%20also%20common%20char%20substitution.%20The%20Custom%20password%20field%2C%20can%20contain%20up%20to%201000%20words%20case-insensitive.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%225%22%3E%3CSTRONG%3ENice%20to%20Know%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EThe%20Proxy%20Service%20of%20Azure%20AD%20Password%20Protection%20can%20work%20with%20%3CSTRONG%3EHTTPS%20proxy%3C%2FSTRONG%3E%20servers%20in%20your%20environment%2C%20but%20%3CU%3E%3CSTRONG%3Eactually%3C%2FSTRONG%3E%20t%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3Ehe%20%3CSTRONG%3EAzure%20AD%20Password%20Protection%20proxy%20service%3C%2FSTRONG%3E%20doesn't%20support%20the%20use%20of%20specific%20credentials%20for%20connecting%20to%20an%20HTTPS%20proxy.%3C%2FFONT%3E%3C%2FU%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3CLI%3EBy%20default%20the%20Azure%20AD%20Password%20Protection%20is%20set%20to%20%22%3CSTRONG%3EAudit%20Mode%3C%2FSTRONG%3E%22%20on%20the%20Tenant%20so%2C%20if%20you%20deploy%20a%20proxy%20service%20and%20install%20one%20agent%20on%20a%20DC%20(only%20for%20testing%20purpose)%2C%20if%20the%20password%20match%20the%20%3CSTRONG%3EMicrosoft%20Global%20Banned%20Password%20list%3C%2FSTRONG%3E%2C%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%20the%20DC%20Agent%20will%20generate%20only%20events%20like%20this%20one%3C%2FSPAN%3E%3A%3CBR%20%2F%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CBR%20%2F%3E%3C%2FFONT%3E%0A%3CBLOCKQUOTE%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CFONT%20color%3D%22%23000000%22%20size%3D%222%22%3E%3CSTRONG%3ELog%20Name%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Microsoft-AzureADPasswordProtection-DCAgent%2FAdmin%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3C%2FFONT%3E%3CFONT%20size%3D%222%22%20style%3D%22background-color%3A%20%23ffffff%3B%22%3ESource%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Microsoft-AzureADPasswordProtection-DCAgent%3CBR%20%2F%3E%3CSTRONG%3EEvent%20ID%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%2030009%3C%2FSTRONG%3E%3CBR%20%2F%3ETask%20Category%3A%20None%3CBR%20%2F%3ELevel%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Information%3CBR%20%2F%3EKeywords%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3CBR%20%2F%3EUser%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20SYSTEM%3CBR%20%2F%3EComputer%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20ITDC01.IT.CONTOSO.COM%3CBR%20%2F%3EDescription%3A%3CBR%20%2F%3E%3CSTRONG%3E%3CFONT%20color%3D%22%23ff0000%22%3EThe%20reset%20password%3C%2FFONT%3E%3C%2FSTRONG%3E%20for%20the%20specified%20user%20%3CFONT%20color%3D%22%23000000%22%3E%3CSTRONG%3Ewould%20normally%20have%20been%20rejected%20because%20it%20matches%20at%20least%20one%20of%20the%20tokens%20present%20in%20the%3C%2FSTRONG%3E%3C%2FFONT%3E%20%3CSTRONG%3E%3CFONT%20color%3D%22%23ff0000%22%3EMicrosoft%20global%20banned%20password%20list%3C%2FFONT%3E%3C%2FSTRONG%3E%20of%20the%20current%20Azure%20password%20policy.%20%3CSTRONG%3E%3CFONT%20color%3D%22%23000000%22%3EThe%20current%20Azure%20password%20policy%20is%20configured%20for%20%3CFONT%20color%3D%22%23ff0000%22%3Eaudit-only%20mode%3C%2FFONT%3E%20so%20the%20password%20was%20accepted.%3C%2FFONT%3E%3C%2FSTRONG%3E%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3E%26nbsp%3BUserName%3A%20ITOPSTALK%3CBR%20%2F%3E%26nbsp%3BFullName%3A%20ITOPSTALK%3C%2FFONT%3E%3C%2FBLOCKQUOTE%3E%0A%3CDIV%3EOr%20like%20this%2C%20if%20the%20password%20match%20your%20%3CSTRONG%3Ecustom%20password%20lists%3C%2FSTRONG%3E%20on%20the%20tenant%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FDIV%3E%0A%3CBLOCKQUOTE%3E%3CFONT%20size%3D%222%22%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2013.33px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CFONT%20color%3D%22%23000000%22%20style%3D%22box-sizing%3A%20border-box%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3ELog%20Name%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Microsoft-AzureADPasswordProtection-DCAgent%2FAdmin%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20style%3D%22box-sizing%3A%20border-box%3B%22%20%2F%3ESource%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Microsoft-AzureADPasswordProtection-DCAgent%3CBR%20style%3D%22box-sizing%3A%20border-box%3B%22%20%2F%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3E%3CFONT%20color%3D%22%23000000%22%20style%3D%22box-sizing%3A%20border-box%3B%22%3EEvent%20ID%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%2030007%3C%2FFONT%3E%3C%2FSTRONG%3E%3CBR%20style%3D%22box-sizing%3A%20border-box%3B%22%20%2F%3ETask%20Category%3A%20None%3CBR%20style%3D%22box-sizing%3A%20border-box%3B%22%20%2F%3ELevel%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Information%3CBR%20style%3D%22box-sizing%3A%20border-box%3B%22%20%2F%3EKeywords%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3CBR%20style%3D%22box-sizing%3A%20border-box%3B%22%20%2F%3EUser%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20SYSTEM%3CBR%20style%3D%22box-sizing%3A%20border-box%3B%22%20%2F%3EComputer%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20ITDC01.IT.CONTOSO.COM%3CBR%20style%3D%22box-sizing%3A%20border-box%3B%22%20%2F%3EDescription%3A%3CBR%20style%3D%22box-sizing%3A%20border-box%3B%22%20%2F%3E%3CFONT%20color%3D%22%23ff0000%22%20style%3D%22box-sizing%3A%20border-box%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3EThe%20reset%20password%3C%2FSTRONG%3E%3C%2FFONT%3E%20for%20the%20specified%20user%20%3CFONT%20color%3D%22%23000000%22%20style%3D%22box-sizing%3A%20border-box%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3Ewould%20normally%20have%20been%20rejected%20because%20it%20matches%20at%20least%20one%20of%20the%20tokens%20present%20in%20the%3C%2FSTRONG%3E%3C%2FFONT%3E%20%3CFONT%20color%3D%22%23ff0000%22%20style%3D%22box-sizing%3A%20border-box%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3Eper-tenant%20banned%20password%20list%20of%20the%20current%20Azure%20password%20policy%3C%2FSTRONG%3E%3C%2FFONT%3E.%20%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3EThe%20current%20Azure%20password%20policy%20is%20configured%20for%20%3CFONT%20color%3D%22%23ff0000%22%20style%3D%22box-sizing%3A%20border-box%3B%22%3Eaudit-only%3C%2FFONT%3E%20%3CFONT%20color%3D%22%23000000%22%20style%3D%22box-sizing%3A%20border-box%3B%22%3Emode%20so%20the%20password%20was%20accepted.%3C%2FFONT%3E%3C%2FSTRONG%3E%3CBR%20style%3D%22box-sizing%3A%20border-box%3B%22%20%2F%3E%26nbsp%3B%3CBR%20style%3D%22box-sizing%3A%20border-box%3B%22%20%2F%3E%26nbsp%3BUserName%3A%20ITOPSTALK%3CBR%20style%3D%22box-sizing%3A%20border-box%3B%22%20%2F%3E%26nbsp%3BFullName%3A%20ITOPSTALK%3C%2FFONT%3E%3C%2FBLOCKQUOTE%3E%0A%3CFONT%20size%3D%222%22%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2013.33px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CFONT%20size%3D%223%22%3ENo%20Password%20will%20be%20blocked%20until%20you%20will%20change%20the%20configuration%20on%20the%20Tenant%20from%20%22%3CSTRONG%3EAudit%20Mode%3C%2FSTRONG%3E%22%20to%20%22%3CSTRONG%3EEnforce%3C%2FSTRONG%3E%22.%3CBR%20%2F%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3EIf%20your%20DCs%20are%20all%202012%20or%20above%20but%20you%20are%20using%20FRS%20for%20replicating%20the%20SYSVOL%2C%20upgrade%20first%20to%20DFSR%20to%20use%20Azure%20AD%20Password%20Protection%2C%20because%20FRS%20is%20deprecated.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3CLI%3EHave%20you%20already%20two%20AD%20connect%20servers%20in%20your%20Environment%3F%20Yes%3F%20So%20you%20can%20install%20the%20proxy%20Service%20on%20this%202%20Servers%20if%20you%20want%2C%20but%20start%20always%20from%20the%20one%20in%20staging%20mode%20%3B).%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3CLI%3EAzure%20AD%20Password%20Protection%20for%20Active%20Directory%20require%20the%20Azure%20AD%20Premium%20licences%20P1%20or%20P2.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3CLI%3EAzure%20AD%20Password%20Protection%20is%20not%20a%20real-time%20policy%20application%20engine%2C%20you%20can%20have%20a%20delay%20in%20the%20application%20of%20the%20new%20Azure%20Password%20Policy%20in%20your%20on-premises%20AD%20environment.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3CLI%3EIf%20you%20want%20to%20force%20a%20DC%20to%20download%20a%20fresh%20copy%20of%20the%20Azure%20Password%20Policy%20from%20the%20Proxy%20Service%2C%20you%20can%20restart%20the%20DC%20Agent.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%23000000%22%20size%3D%225%22%3E%3CSTRONG%3EScenarios%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3ESome%20Customers%20think%20that%20because%20Azure%20AD%20Password%20protection%20On-Premises%2C%20work%20with%20DC%20Agents%20they%20can%20deploy%20Agents%20only%20on%20a%20single%20AD%20Site%20to%20protect%20for%20example%20a%20Branch%20Office%2C%20but%20this%20is%20a%20partial%20deployment%20and%20it%20is%20not%20recommended.%20In%20this%20scenario%20a%20customer%20want%20to%20deploy%20DC%20Agents%20only%20on%20the%20%3CSTRONG%3ENY-SITE%3C%2FSTRONG%3E%2C%20g%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3Eraphics%20always%20help%20to%20understand%20better%3A%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20956px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F115686iF28C1667E222937F%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22scenario1.png%22%20title%3D%22scenario1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EAs%20you%20can%20see%20one%20DC%20in%20the%20%3CSTRONG%3EIT.CONTOSO.DOMAIN%3C%2FSTRONG%3E%20don't%20have%20the%20DC%20Agent%2C%20because%20the%20change%20password%20can%20happens%20on%20any%20DC%2C%20this%20configuration%20%3CU%3Eis%20not%20secure%20and%20not%20recommended%3C%2FU%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20want%20to%20implement%20a%20more%20secure%20scenario%2C%20%3CU%3Eyou%20need%20to%20install%20the%20DC%20Agent%20on%20each%20DCs%20of%20the%20forest%2C%3C%2FU%3E%20like%20in%20this%20example%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20915px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F115687i50BA4DEA87217ACB%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22scenario2.png%22%20title%3D%22scenario2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20you%20can%20see%20here%2C%20we%20have%20secured%20all%20the%20entire%20forest%20by%20installing%20the%20DC%20agent%20on%20each%20DC%20in%20every%20domains.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EIf%20you%20want%20to%20apply%20the%20Azure%20AD%20Password%20Protection%20only%20to%20one%20domain%20in%20your%20forest%2C%20you%20need%20in%20any%20case%20to%20deploy%20the%20Proxy%20Services%20for%20the%20Forest%20and%20then%20deploy%20the%20DC%20Agent%20%3CSTRONG%3Eonly%20on%20all%20the%20DCs%20in%20that%20domain%3C%2FSTRONG%3E%20to%20secure%20it%2C%20in%20this%20example%20%3CSTRONG%3EHR.CONTOSO.COM%3C%2FSTRONG%3E.%20(%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EYou%20should%20not%20think%20to%20deploy%20the%20DC%20agent%20only%20on%20the%20PDC%2C%20for%20example)%3C%2FSPAN%3E%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20883px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F115688iC87986088FB101F5%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22scenario3.png%22%20title%3D%22scenario3.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CBR%20%2F%3ELast%20but%20not%20least%2C%20rem%3C%2FSPAN%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3Eember%20to%20alert%20your%20users%20about%20the%20Policy%20password%20change%20before%20switch%20the%20configuration%20in%20the%20Tenant%20from%20%22%3CSTRONG%3EAudit%20mode%3C%2FSTRONG%3E%22%20to%20%22%3CSTRONG%3EEnforce%3C%2FSTRONG%3E%22.%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSPAN%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20display%3A%20inline%3B%20float%3A%20none%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EI%20hope%20that%20all%20this%20info%2C%20will%20help%20you%20to%20deploy%20this%20great%20feature%20in%20your%20Environments.%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%225%22%3E%3CFONT%20color%3D%22%23000000%22%3E%3CSTRONG%3EReference%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3EThe%20official%20reference%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-password-ban-bad-on-premises%23design-principles%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EEnforce%20Azure%20AD%20password%20protection%20for%20Windows%20Server%20Active%20Directory%3C%2FFONT%3E%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-password-ban-bad-on-premises-troubleshoot%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EAzure%20AD%20Password%20Protection%20troubleshooting%3C%2FFONT%3E%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-password-ban-bad-on-premises-monitor%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EAzure%20AD%20Password%20Protection%20monitoring%20and%20logging%3C%2FFONT%3E%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-563342%22%20slang%3D%22en-US%22%3E%3CP%3EToo%20many%20users%20have%20bad%20habits%20when%20creating%20and%20using%20passwords.%26nbsp%3B%20Daniele%20details%20steps%20in%20utilizing%20Azure%20AD%20Password%20Protection%26nbsp%3Bdesign%20principles%20to%20automate%20enforcement%20of%20password%20rules.%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20998px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F114318i3264A9781725AF0E%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22AADPP.jpg%22%20title%3D%22AADPP.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-563342%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDaniele%20De%20Angelis%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-677072%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-677072%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F356010%22%20target%3D%22_blank%22%3E%403dinfo%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3Ewhat%20I%20mean%20in%20this%20part%3A%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%22It%20is%20not%20necessary%20that%20all%20the%20DCs%20are%20able%20to%20comunicate%20with%20the%20Azure%20AD%20Password%20Protection%20Proxy%20Server%20if%20you%20have%20a%20very%20complex%20Active%20Directory%20environments.%20You%20can%20configure%20%3CSTRONG%3Ea%20minimum%20of%20one%20DC%20per%20domain%3C%2FSTRONG%3E%20and%20the%20other%20DCs%20will%20take%20the%20new%20policy%20from%20the%20Sysvol%20replication.%20%3C%2FFONT%3E%22%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%3B%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%22%3E%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3EIs%20that%20at%20least%20one%20DC%20per%20domain%20%3CU%3Eneed%20to%20be%20able%20to%20comunicate%3C%2FU%3E%20with%20the%20%3CSTRONG%3EAzure%20AD%20Password%20Protection%20Proxy%20Service%26nbsp%3B%3C%2FSTRONG%3Eto%20take%20the%20new%20Password%20policy%2C%20but%20for%20sure%20you%20need%20to%20install%20the%20DC%20Agent%20on%20all%20DC%20in%20the%20domain%20if%20you%20want%20to%20secure%20the%20domain.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20have%20change%20a%20little%20the%20article%20based%20on%20your%20question%20%3A)%3C%2Fimg%3E%3C%2FP%3E%0A%3CP%3E%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EIt%20is%20not%20necessary%20that%20all%20the%20DCs%20are%20able%20to%20comunicate%20with%20the%20%3C%2FSPAN%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%22%3EAzure%20AD%20Password%20Protection%20Proxy%20Server%2C%20%3C%2FFONT%3E%3C%2FSTRONG%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%22%3Ei%3C%2FFONT%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%22%3E%3CSPAN%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20display%3A%20inline%3B%20float%3A%20none%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3Ef%20you%20have%20a%20very%20complex%20Active%20Directory%20environments%2C%20y%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FSTRONG%3Eou%20can%20configure%20a%20minimum%20of%20%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3Eone%20DC%20per%20domain%3C%2FSTRONG%3E%20to%20be%20able%20to%20connect%20to%20the%20%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3EAAD%20Password%20Protection%20Proxy%20Servers%2C%20%3C%2FSTRONG%3Eand%20the%20other%20DCs%20will%20take%20the%20new%20policy%20from%20the%20Sysvol%20replication.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EMany%20thanks%20for%20the%20question%203DInfo%20%3B)%3C%2Fimg%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-678717%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-678717%22%20slang%3D%22en-US%22%3E%3CP%3Eappreciate%20the%20write%20up.%20I%20was%20wondering%20if%20you%20could%20help%20understand%20an%20error%20i'm%20receiving...%20I%20have%20a%20single%20proxy%20service%20in%20a%20hybrid%20environment%20and%20installed%20the%20dc%20agent%20on%20a%20single%20dc...%20I%20got%20confused%20on%20the%20writing%20of%20the%20proxy.exe.config%20file...%20we%20don't%20have%20a%20http%20proxy%20in%20our%20environment..so%20I'm%20guessing%20that%20should%20be%20the%20proxy%20service%20server%20name.%20%26nbsp%3Bi've%20restarted%20the%20proxy%20config%20service%20and%20dc%20agent%20service..%20still%20seeing%20this%20error%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22One%20or%20more%20Azure%20AD%20Password%20Protection%20Proxy%20servers%20were%20found%20in%20the%20forest%20but%20this%20machine%20was%20unable%20to%20establish%20network%20connectivity%20to%20any%20of%20them...%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ei%20see%20the%20inbound%20firewall%20rule%20for%20port%20135...and%20i'm%20able%20to%20telnet%20to%20the%20port%20on%20proxy%20service%20server%20from%20dc%20agent%20server...%20is%20there%20some%20other%20communication%20that%20i'm%20not%20seeing%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eappreciate%20the%20time%20and%20effort.%20thanks.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-679562%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-679562%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F356845%22%20target%3D%22_blank%22%3E%40gqcars%3C%2FA%3E%2C%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESo%20if%20I%20understand%20well%20you%20%3CU%3Edon't%3C%2FU%3E%20have%20an%20%3CSTRONG%3EHTTP%20proxy%20Server%3C%2FSTRONG%3E%20in%20your%20environment%20%2C%20so%20you%20%3CU%3Edon't%3C%2FU%3E%20need%20to%20change%20anything%20inside%20of%20the%26nbsp%3B%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CSTRONG%3EAzureADPasswordProtectionProxy.exe.config%3C%2FSTRONG%3E%20file%2C%20you%20need%20to%20modify%20this%20file%20%3CU%3Eonly%3C%2FU%3E%20if%20you%20want%20that%20your%20%3CSTRONG%3EAzure%20Ad%20Password%20Protection%20Proxy%20Service%3C%2FSTRONG%3E%20is%20able%20to%20go%20to%20the%20internet%20and%20reach%20Azure%20via%20an%20%3CSTRONG%3EHTTP%20Proxy%20Server%3C%2FSTRONG%3E%20%3B).%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20event%20that%20you%20receive%2C%20came%20from%20the%20DC%20Agent%3A%3CBR%20%2F%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3C%2FSPAN%3E%3C%2FP%3E%0A%3CDIV%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CSTRONG%3EOne%20or%20more%20Azure%20AD%20Password%20Protection%20Proxy%20servers%20were%20found%20in%20the%20forest%20but%20this%20machine%20was%20unable%20to%20establish%20network%20connectivity%20to%20any%20of%20them.%3C%2FSTRONG%3E%3CBR%20%2F%3E%3C%2FFONT%3E%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EThis%20is%20due%20to%20a%20network%20connectivity%20issue%20from%20the%20%3CSTRONG%3EDC%20Agent%3C%2FSTRONG%3E%20to%20the%20%3CSTRONG%3EAzure%20AD%20Password%20Protection%20Proxy%20Service.%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3EOn%20your%20Proxy%20server%20you%20should%20be%20able%20to%20view%20this%20to%20inbound%20Windows%20Firewall%20rules%3A%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F117548i07338C9B6B8A764D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Firewall_roules_AADPPPS.jpg%22%20title%3D%22Firewall_roules_AADPPPS.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Calibri%3B%22%3E%3A%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22color%3A%20%23333333%3B%20background%3A%20white%3B%22%3EThis%20rules%20are%20automatically%20created%20by%20the%20installation%20of%20the%20Proxy%20Service%2C%20o%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20%23333333%3B%20background%3A%20white%3B%22%3Ene%20is%20for%20the%20%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-weight%3A%20bold%3B%20color%3A%20%23333333%3B%20background%3A%20white%3B%22%3EEndpoint%20Mapper%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20%23333333%3B%20background%3A%20white%3B%22%3E%20on%20port%20%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-weight%3A%20bold%3B%20color%3A%20%23333333%3B%20background%3A%20white%3B%22%3E135%20TCP%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20%23333333%3B%20background%3A%20white%3B%22%3E%2C%20and%20the%20other%20is%20for%20the%20%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F929851%2Fthe-default-dynamic-port-range-for-tcp-ip-has-changed-in-windows-vista%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20style%3D%22font-weight%3A%20bold%3B%20background%3A%20white%3B%22%3EDynamic%20Port%20Range%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20style%3D%22color%3A%20%23333333%3B%20background%3A%20white%3B%22%3E%20by%20default%20%3CSTRONG%3Efrom%26nbsp%3B%3C%2FSTRONG%3E%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20style%3D%22background%3A%20white%3B%20color%3A%20%23333333%3B%22%3E49152%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20%23333333%3B%20background%3A%20white%3B%22%3E%20to%20%3C%2FSPAN%3E%3CSPAN%20style%3D%22background%3A%20white%3B%20color%3A%20%23333333%3B%22%3E65535%20TCP%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20style%3D%22color%3A%20%23333333%3B%20background%3A%20white%3B%22%3E.%20%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20%23333333%3B%22%3EIf%20this%20two%20rules%20are%20enabled%20on%20the%20Windows%20Firewall%20you%20need%20to%20check%20if%20there%20is%20something%20else%20that%20act%20as%20a%20firewall%20(Example%3A%20firewall%20appliance%20on%20the%20network%2C%20or%20may%20be%20the%20Antivirus%20on%20the%20DC%20or%20on%20the%20Proxy).%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22color%3A%20%23333333%3B%22%3EI%20hope%20to%20help%20you%20%3B)%3C%2Fimg%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3ECiao%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-962290%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-962290%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F170496%22%20target%3D%22_blank%22%3E%40Daniele%20De%20Angelis%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20would%20like%20a%20clarification%20regarding%20the%20number%207%20bullet%20point%20in%20the%20Nice%20to%20Know%20section%20regarding%20the%3A%20%22If%20you%20want%20to%20force%20a%20DC%20to%20download%20a%20fresh%20copy%20of%20the%20Azure%20Password%20Policy%20from%20the%20Proxy%20Service%2C%20you%20can%20restart%20the%20DC%20Agent.%22%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIs%20there%20a%20fixed%20amount%20of%20time%20that%20the%20Azure%20AD%20Password%20Protection%20DC%20agent%20periodically%20tries%20to%20download%20a%20new%20copy%20of%20the%20Azure%20Password%20Policy%3F%20(e.g.%20every%2015%20minutes%20or%2030%20minutes)%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThank%20you%2C%3C%2FP%3E%0A%3CP%3EGeorge%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-962497%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-962497%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F210335%22%20target%3D%22_blank%22%3E%40George%20Smyrlis%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYes%2C%20every%201h%2C%20you%20can%20find%20this%20info%20in%20the%20official%20docs%20also%3A%3CBR%20%2F%3E%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23171717%3B%20font-family%3A%20Segoe%20UI%2CSegoeUI%2CSegoe%20WP%2CHelvetica%20Neue%2CHelvetica%2CTahoma%2CArial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20overflow-wrap%3A%20break-word%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSTRONG%3EThe%20DC%20Agent%20service%20always%20requests%20a%20new%20policy%20at%20service%20startup%3C%2FSTRONG%3E.%20After%20the%20DC%20Agent%20service%20is%20started%2C%20%3CSTRONG%3Eit%20checks%20the%20age%20of%20the%20current%20locally%20available%20policy%20hourly%3C%2FSTRONG%3E.%20If%20the%20policy%20is%20older%20than%20one%20hour%2C%20the%20DC%20Agent%20requests%20a%20new%20policy%20from%20Azure%20AD%20via%20the%20proxy%20service%2C%20as%20described%20previously.%20%3CSTRONG%3EIf%20the%20current%20policy%20isn't%20older%20than%20one%20hour%2C%20the%20DC%20Agent%20continues%20to%20use%20that%20policy%3C%2FSTRONG%3E.%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-password-ban-bad-on-premises%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-password-ban-bad-on-premises%3C%2FFONT%3E%3C%2FA%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23171717%3B%20font-family%3A%20Segoe%20UI%2CSegoeUI%2CSegoe%20WP%2CHelvetica%20Neue%2CHelvetica%2CTahoma%2CArial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20overflow-wrap%3A%20break-word%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3C%2FSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23171717%3B%20font-family%3A%20Segoe%20UI%2CSegoeUI%2CSegoe%20WP%2CHelvetica%20Neue%2CHelvetica%2CTahoma%2CArial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20overflow-wrap%3A%20break-word%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3ECiao%20%3B)%3C%2Fimg%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-964964%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-964964%22%20slang%3D%22en-US%22%3E%3CP%3Egood%20question%26nbsp%3BGeorge%20Smyrlis.%26nbsp%3B%3CBR%20%2F%3EI%20have%20an%20other%20question%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F170496%22%20target%3D%22_blank%22%3E%40Daniele%20De%20Angelis%3C%2FA%3E%26nbsp%3B%20%26nbsp%3B%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3EMicrosoft%20recommends%202%20Proxy%20servers%20for%20uptime%20concerns%2C%20but%20does%20the%20DC%20ever%20looses%20it's%20cache%20of%20the%20policy%20from%20the%20proxy%20server%3F%3CBR%20%2F%3Efor%20exsample%20if%20the%20DC%20restarts%3F%3CBR%20%2F%3EDoes%20it%20ever%20become%20a%20problem%20to%20reset%20a%20password%2C%20if%20the%20proxy%20service%20is%20unavailable%20for%20days%20maybe%3F%3CBR%20%2F%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOr%20is%20the%20only%20concern%20if%20we%20want%20the%20latest%20banlist%20from%20Microsoft%20Global%20banlist.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-965286%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-965286%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F151618%22%20target%3D%22_blank%22%3E%40Micki%20Wulffeld%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3EI'll%20try%20to%20respond%20to%20your%20questions%20%3A%3C%2FP%3E%0A%3CP%3E1)%20The%20DC%20don't%20loose%20the%20local%20copy%20of%20the%20Microsoft%20Global%20and%20Custom%20banned%20password%20list%20if%20you%20reboot%20it%20for%20example.%3C%2FP%3E%0A%3CP%3E2)%20If%20you%20have%20two%20proxy%20service%20and%20they%20are%20offline%20for%20days%2C%20the%20DC%20Agent%20on%20the%20DC%20%3CSTRONG%3Ewill%20continue%20to%20use%20the%20old%20version%3C%2FSTRONG%3E%20of%20Global%20and%20Custom%20banned%20password%20list%20%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%20(even%20if%20you%20reboot%20it%20in%20this%20time%20for%20example%20for%20patching)%3C%2FSPAN%3E%2C%20but%20for%20sure%20if%20you%20add%20new%20custom%20password%20in%20the%20Azure%20portal%20this%20will%20not%20be%20applied%20on-premises%20until%20your%20proxy%20services%20will%20be%20back%20online.%3CBR%20%2F%3E3)%20Event%20if%20the%20proxy%20services%20are%20offline%2C%20the%20DC%20will%20continue%20to%20reset%20password%20using%20the%20local%20copy%20of%20Global%20and%20Custom%20banned%20password%20lists.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMany%20thanks%20for%20asking%20%3B)%3C%2Fimg%3E%3C%2FP%3E%0A%3CP%3ECiao%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E

I travel a lot in Italy, and many times I see multiple customers that are asking for the same requests. One request is the possibility to block some specific passwords in Active Directory. Unfortunately too many users have BAD habits and use the company name in the password field for example. In those cases, the Security team wants to block some easy and well known passwords.

 

In Active Directory you can Enable some GPO that can help you to implement strong password, like:

  1.  Minimum Password Length
  2.  Minimum Password Age
  3.  Maximum password Age
  4.  Password must meet complexity requirements
  5.  Enforce Password History

 

However, with a minimum password length of 8 chars and these GPOs, we unfortunately can't avoid the use of some well known Passwords like:
 

"P@$$w0rd" or "Pippo01!"

 

Azure AD Password Protection is finally what we need to enhance the password policies in your organization. With this feature, you can use the same checks for passwords in AzureAD on your on-premises Active Directory implementation. You can enforce both the Microsoft Global Banned Passwords and Custom banned-passwords list stored in Azure AD tenant.

 

What are the Design Principles?
 

Azure AD Password Protection is based on multiple design principles available here, but I would like to emphasize some of the most important ones:

  1. Your DCs never talk directly with Azure.
    (you need to install the Azure AD Password Protection Proxy Service)
  2. Your DCs will be never be exposed on the internet.
  3. There are no ports listening on the Domain Controllers for the Azure AD Password Protection DC Agent.
  4. All the services of the Azure AD Password Protection (Proxy Service and DC Agent) do not require any specific user to work, they use the  LOCAL SYSTEM account, but you will need a Global Admin of your tenant and a Domain Admins to register the Proxy Services and the Forest, but only one time.
  5. Do not require any schema update or specific DFL/FFL.
  6. The deployment of this solution supports the incremental deployments.

 

How does it work?

 

  1. A user requests a password change to a Domain Controller.
  2. The DC Agent Password Filter dll, receive from the OS, the password validation requests, and forward them to the  Azure AD Password Protection DC Agent, installed on the DC. This Agent then validate if the password is compliance with the locally stored Azure password policy.
  3. The Agent on the DC every 1h locate via the SCP (Service Connection Point) in the forest the Azure AD Password Protection Proxy Service to download a fresh copy of the Azure password policy.
  4. The Agent on the DC receives the new version of the Azure password policy from the proxy service and stores it in the Sysvol enabling this new policy to be replicated to all other DCs in the same domain.

The Azure Password policies are stored in Sysvol as shown here:

Sysvol_AADPP.png
It is not necessary that all the DCs are able to comunicate with the Azure AD Password Protection Proxy Server, if you have a very complex Active Directory environments, you can configure a minimum of one DC per domain to be able to connect to the AAD Password Protection Proxy Servers, and the other DCs will take the new policy from the Sysvol replication. However, on these DCs you will see some warning of this type:

Log Name:      Microsoft-AzureADPasswordProtection-DCAgent/Admin
Source:        Microsoft-AzureADPasswordProtection-DCAgent
Date:          15/05/2019 23:37:39
Event ID:      30018
Task Category: None
Level:         Warning
Keywords:     
User:          SYSTEM
Computer:      ITDC01.IT.CONTOSO.COM
Description:
One or more Azure AD Password Protection Proxy servers were found in the forest but this machine was unable to establish network connectivity to any of them.
 This operation will be run periodically and may succeed in future attempts
 This may be an expected and benign condition depending on how the network environment is configured.
 This domain controller may be able to obtain updated password policies via sysvol replication if other domain controllers do have proxy connectivity.

 

How can I deploy the Azure AD Password Protection?

The following is a an example of a simple scenario to understand how-to deploy this feature:

AADPP_schema.png

 

  1. Since your DCs never talk directly with Azure you need at least 2 Azure AD Password Protection Proxy Server per Forest for high availability and should be placed in the Root Domain. The Azure AD Password Protection Proxy Servers must be Windows Server 2012R2 or above.

  2. Download the Azure AD Password Protection software (Proxy and DC Agent):


    AADPP_software.png

     
  3.  Be sure to have installed .NET Framework 4.7 at minimum on these Proxy Servers.

  4. All the server DCs and Proxy Services require the Universal C runtime for Windows.
     
  5. Install the Proxy Service (AzureADPasswordProtectionProxySetup.exe) on the two Servers, joined to the root domain:
    Install_Proxy_1.pngInstall_Proxy_1.png
    Install_Proxy_2.png
    Install_Proxy_3.png
    You can also complete this via Silent installation from the command line

    With the installation of the Proxy Service completed, you can open PowerShell and can see a new module, AzureADPasswordProtection, installed.
     
    PS C:\> Get-Command -Module AzureADPasswordProtection
    
    CommandType     Name                                               ModuleName
    -----------     ----                                               ----------
    Function        Get-AzureADPasswordProtectionSummaryReport         AzureADPasswordProtection
    Cmdlet          Get-AzureADPasswordProtectionDCAgent               AzureADPasswordProtection
    Cmdlet          Get-AzureADPasswordProtectionProxy                 AzureADPasswordProtection
    Cmdlet          Get-AzureADPasswordProtectionProxyConfiguration    AzureADPasswordProtection
    Cmdlet          Register-AzureADPasswordProtectionForest           AzureADPasswordProtection
    Cmdlet          Register-AzureADPasswordProtectionProxy            AzureADPasswordProtection
    Cmdlet          Set-AzureADPasswordProtectionProxyConfiguration    AzureADPasswordProtection
     
    You can also open the event log and can see new Event logs for the installed Service:
     
    AADPPP_EventLogs.png

  6. All the DCs must be at least Windows Server 2012 or above. You now need to install the package "AzureADPasswordProtectionDCAgentSetup.msi":
    Install_Agent_1.png
    Install_Agent_2.png
    Install_Agent_3_Restart.png

    As you can see the DC Agents installation require the reboot of the DC and also in this case if you want you can use the Silent installation with the command line. But please remember to put the /norestart parameter to avoid the immediate restart of the DC.

    After the installation, on the DC you will see a new Eventlog for the agent:
    AADPPDCA_Eventlog.png

  7. By default the Azure AD Password Protection DC Agent use the TCP port 135 and the dynamic ports range to connect to the Azure AD Password Protection Proxy Servers, so this ports must be open at the network level, but if you prefer, you can configure the proxy Service to Listen on a specific ports.
    Set-AzureADPasswordProtectionProxyConfiguration –StaticPort <portnumber>
    This command must be executed on each proxy Server, and require the restart of the Proxy Service.

  8. You need to register on your Azure AD Tenant the two Proxy Server with a simple PowerShell cmdlet on each proxy:
    Register-AzureADPasswordProtectionProxy -AccountUpn 'admin@<yourtenant>.onmicrosoft.com'
    This registration of the Proxy Service is necessary only one time, for the first authentication on the tenant.

  9. You need to register the Forest on Azure AD so this command must be lunched from only one of the Proxy Servers:
    # IF YOU ARE CONNECTED TO THE PROXY SERVER WITH ADMIN CREDENTIAL
    # OF THE ROOT DOMAIN, THEN YOU CAN USE THIS COMMAND: 
    Register-AzureADPasswordProtectionForest -AccountUpn 'admin@<yourtenant>.onmicrosoft.com' 
    
    # OTHERWISE YOU CAN SPECIFY THE ROOT DOMAIN CREDENTIALS: 
    Register-AzureADPasswordProtectionForest -AccountUpn 'admin@<yourtenant>.onmicrosoft.com' -ForestCredential $(Get-Credential)
    This command require the a Global Admin of the tenant and a Domain Admins of the Root Domain.

  10. You can now connect to the https://portal.azure.com and configure the Azure AD Password Protection:
    Azure_AD_PP_Portal_Config.png

NOTE: keep in mind that when you write in the custom banned password the word "fabrikam", you are adding more than that, also the "f@br1k@m" is banned! So we made also common char substitution. The Custom password field, can contain up to 1000 words case-insensitive.

 

Nice to Know

 

  1. The Proxy Service of Azure AD Password Protection can work with HTTPS proxy servers in your environment, but actually the Azure AD Password Protection proxy service doesn't support the use of specific credentials for connecting to an HTTPS proxy.

  2. By default the Azure AD Password Protection is set to "Audit Mode" on the Tenant so, if you deploy a proxy service and install one agent on a DC (only for testing purpose), if the password match the Microsoft Global Banned Password list, the DC Agent will generate only events like this one:

    Log Name:      Microsoft-AzureADPasswordProtection-DCAgent/Admin
    Source:        Microsoft-AzureADPasswordProtection-DCAgent
    Event ID:      30009
    Task Category: None
    Level:         Information
    Keywords:     
    User:          SYSTEM
    Computer:      ITDC01.IT.CONTOSO.COM
    Description:
    The reset password for the specified user would normally have been rejected because it matches at least one of the tokens present in the Microsoft global banned password list of the current Azure password policy. The current Azure password policy is configured for audit-only mode so the password was accepted.
     
     UserName: ITOPSTALK
     FullName: ITOPSTALK
    Or like this, if the password match your custom password lists on the tenant:

    Log Name:      Microsoft-AzureADPasswordProtection-DCAgent/Admin
    Source:        Microsoft-AzureADPasswordProtection-DCAgent
    Event ID:      30007
    Task Category: None
    Level:         Information
    Keywords:     
    User:          SYSTEM
    Computer:      ITDC01.IT.CONTOSO.COM
    Description:
    The reset password for the specified user would normally have been rejected because it matches at least one of the tokens present in the per-tenant banned password list of the current Azure password policy. The current Azure password policy is configured for audit-only mode so the password was accepted.
     
     UserName: ITOPSTALK
     FullName: ITOPSTALK
    No Password will be blocked until you will change the configuration on the Tenant from "Audit Mode" to "Enforce".

  3. If your DCs are all 2012 or above but you are using FRS for replicating the SYSVOL, upgrade first to DFSR to use Azure AD Password Protection, because FRS is deprecated.

  4. Have you already two AD connect servers in your Environment? Yes? So you can install the proxy Service on this 2 Servers if you want, but start always from the one in staging mode ;). 

  5. Azure AD Password Protection for Active Directory require the Azure AD Premium licences P1 or P2.

  6. Azure AD Password Protection is not a real-time policy application engine, you can have a delay in the application of the new Azure Password Policy in your on-premises AD environment.

  7. If you want to force a DC to download a fresh copy of the Azure Password Policy from the Proxy Service, you can restart the DC Agent.

 

Scenarios

Some Customers think that because Azure AD Password protection On-Premises, work with DC Agents they can deploy Agents only on a single AD Site to protect for example a Branch Office, but this is a partial deployment and it is not recommended. In this scenario a customer want to deploy DC Agents only on the NY-SITE, graphics always help to understand better:

scenario1.png

As you can see one DC in the IT.CONTOSO.DOMAIN don't have the DC Agent, because the change password can happens on any DC, this configuration is not secure and not recommended.

 

If you want to implement a more secure scenario, you need to install the DC Agent on each DCs of the forest, like in this example:

scenario2.png

 

As you can see here, we have secured all the entire forest by installing the DC agent on each DC in every domains.


If you want to apply the Azure AD Password Protection only to one domain in your forest, you need in any case to deploy the Proxy Services for the Forest and then deploy the DC Agent only on all the DCs in that domain to secure it, in this example HR.CONTOSO.COM. (You should not think to deploy the DC agent only on the PDC, for example):

scenario3.png


Last but not least, rem
ember to alert your users about the Policy password change before switch the configuration in the Tenant from "Audit mode" to "Enforce".

I hope that all this info, will help you to deploy this great feature in your Environments. 

 

Reference

The official reference:

Enforce Azure AD password protection for Windows Server Active Directory

Azure AD Password Protection troubleshooting

Azure AD Password Protection monitoring and logging

 

 

15 Comments
Occasional Visitor

Thanks for the write-up, this looks great. One question though, is there a reason this is not bundled into the Azure AD Connect software that most of us already have?

Hi @DKord,

many thanks for your question! In my honest opinion I would like to say......why not? :)
But I need to be honest, actually this two services (Azure AD Password Protection Proxy and AD Connect) are in two different software packages, so we will see in the future if something will change. Thanks again.

New Contributor

How does this DC agent behaves, in conjunction with the Microsoft Password Change Notification tool?
I'm guessing there is no issues, as it basically uses the same methodology as the Azure AD connect sync, to syncronize hashes to the cloud?

 

 

Hi @Micki Wulffeld,

the Microsoft Password change Notification Service use a Password filter (Pcnsflt.dll), the password filter is used to obtain passwords from Active Directory. The password notification filter runs simultaneously with other filters that are running on the domain controller (this means that can work with the Azure AD Password Protection DC Agent Password Filter).

Reference: https://docs.microsoft.com/en-us/microsoft-identity-manager/infrastructure/mim2016-password-manageme...

 

Also i have found this:
========================================================

Question: Is it supported to install Azure AD Password Protection side by side with other password-filter-based products?

Yes. Support for multiple registered password filter dlls is a core Windows feature and not specific to Azure AD Password Protection. All registered password filter dlls must agree before a password is accepted.

========================================================

Reference: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-pre...

 

So at the end, there are no reasons why they should not work together, but if you will find an issue, we are here to solve it.

Occasional Visitor

Great article. One question. We have an empty root domain, you mention the proxy needs to be a member of the root domain? Can it not be a member of the child domain?

Hi @AndyWallace12030,

correct, in my scenarios I placed the Proxy in the root domain , but if you already have, for example, the Azure AD Connect Servers in a child domain like IT.CONTOSO.COM, you can install the Azure AD Password Protection proxy service on this servers and it works, because the other DCs in the forest are able to locate them via the SCP (Service Connection Point) published in AD, even if the proxy are in the Child domain.

Both scenarios (Proxy in the root or proxy in the child domain) are supported.

Many thanks for your question! :)

Occasional Visitor

nice post Dado

 

Visitor

You mention that "You can configure a minimum of one DC per domain and the other DCs will take the new policy from the Sysvol replication" but then state "As you can see one DC in the IT.CONTOSO.DOMAIN don't have the DC Agent, because the change password can happens on any DC, this configuration is not secure and not recommended.".   This seems conflicting?   Is the one DC option for testing only?

 

Thanks!

Hi @3dinfo,

what I mean in this part:

================================

"It is not necessary that all the DCs are able to comunicate with the Azure AD Password Protection Proxy Server if you have a very complex Active Directory environments. You can configure a minimum of one DC per domain and the other DCs will take the new policy from the Sysvol replication. "

================================

Is that at least one DC per domain need to be able to comunicate with the Azure AD Password Protection Proxy Service to take the new Password policy, but for sure you need to install the DC Agent on all DC in the domain if you want to secure the domain.

 

I have change a little the article based on your question :)

==================================

It is not necessary that all the DCs are able to comunicate with the Azure AD Password Protection Proxy Server, if you have a very complex Active Directory environments, you can configure a minimum of one DC per domain to be able to connect to the AAD Password Protection Proxy Servers, and the other DCs will take the new policy from the Sysvol replication.

==================================

 

Many thanks for the question 3DInfo ;)

 

Occasional Visitor

appreciate the write up. I was wondering if you could help understand an error i'm receiving... I have a single proxy service in a hybrid environment and installed the dc agent on a single dc... I got confused on the writing of the proxy.exe.config file... we don't have a http proxy in our environment..so I'm guessing that should be the proxy service server name.  i've restarted the proxy config service and dc agent service.. still seeing this error:

 

"One or more Azure AD Password Protection Proxy servers were found in the forest but this machine was unable to establish network connectivity to any of them..."

 

i see the inbound firewall rule for port 135...and i'm able to telnet to the port on proxy service server from dc agent server... is there some other communication that i'm not seeing?

 

appreciate the time and effort. thanks. 

 

 

Hi @gqcars

 

So if I understand well you don't have an HTTP proxy Server in your environment , so you don't need to change anything inside of the AzureADPasswordProtectionProxy.exe.config file, you need to modify this file only if you want that your Azure Ad Password Protection Proxy Service is able to go to the internet and reach Azure via an HTTP Proxy Server ;).

 

This event that you receive, came from the DC Agent:
============================================

One or more Azure AD Password Protection Proxy servers were found in the forest but this machine was unable to establish network connectivity to any of them.

============================================

This is due to a network connectivity issue from the DC Agent to the Azure AD Password Protection Proxy Service.

On your Proxy server you should be able to view this to inbound Windows Firewall rules:Firewall_roules_AADPPPS.jpg:

This rules are automatically created by the installation of the Proxy Service, one is for the Endpoint Mapper on port 135 TCP, and the other is for the Dynamic Port Range by default from 49152 to 65535 TCP. If this two rules are enabled on the Windows Firewall you need to check if there is something else that act as a firewall (Example: firewall appliance on the network, or may be the Antivirus on the DC or on the Proxy).

 

I hope to help you ;)

Ciao :)

Microsoft

Hi @Daniele De Angelis,

 

I would like a clarification regarding the number 7 bullet point in the Nice to Know section regarding the: "If you want to force a DC to download a fresh copy of the Azure Password Policy from the Proxy Service, you can restart the DC Agent."

 

Is there a fixed amount of time that the Azure AD Password Protection DC agent periodically tries to download a new copy of the Azure Password Policy? (e.g. every 15 minutes or 30 minutes) 

 

Thank you,

George

 

Hi @George Smyrlis,

 

Yes, every 1h, you can find this info in the official docs also:
===============================================

The DC Agent service always requests a new policy at service startup. After the DC Agent service is started, it checks the age of the current locally available policy hourly. If the policy is older than one hour, the DC Agent requests a new policy from Azure AD via the proxy service, as described previously. If the current policy isn't older than one hour, the DC Agent continues to use that policy.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-on-p...
===============================================

Ciao ;)

New Contributor

good question George Smyrlis. 
I have an other question @Daniele De Angelis   :)

Microsoft recommends 2 Proxy servers for uptime concerns, but does the DC ever looses it's cache of the policy from the proxy server?
for exsample if the DC restarts?
Does it ever become a problem to reset a password, if the proxy service is unavailable for days maybe?
 

Or is the only concern if we want the latest banlist from Microsoft Global banlist.

Hi @Micki Wulffeld,

I'll try to respond to your questions :

1) The DC don't loose the local copy of the Microsoft Global and Custom banned password list if you reboot it for example.

2) If you have two proxy service and they are offline for days, the DC Agent on the DC will continue to use the old version of Global and Custom banned password list (even if you reboot it in this time for example for patching), but for sure if you add new custom password in the Azure portal this will not be applied on-premises until your proxy services will be back online.
3) Event if the proxy services are offline, the DC will continue to reset password using the local copy of Global and Custom banned password lists.

 

Many thanks for asking ;)

Ciao