Azure AD Password Protection and Smart Lockout are now in Public Preview!

Published Sep 07 2018 09:15 AM 66.1K Views
First published on CloudBlogs on Jun, 19 2018
Howdy folks,

Many of you know that unfortunately, all it takes is one weak password for a hacker to get access to your corporate resources. Hackers can often guess passwords because regular users are pretty predictable. Regular users create easy to remember passwords, and they reuse the same passwords or closely related ones over and over again. Hackers use brute force techniques like password spray attacks to discover and compromise accounts with common passwords, an attack pattern we told you about back in March .

So today I'm really excited to announce the public preview of Azure AD Password Protection and Smart Lockout. Azure AD Password Protection helps you eliminate easily guessed passwords from your environment, which can dramatically lower the risk of being compromised by a password spray attack. Specifically, these features let you:

  1. Protect accounts in Azure AD and Windows Server Active Directory by preventing users from using passwords from a list of more than 500 of the most commonly used passwords, plus over 1 million character substitution variations of those passwords.
  2. Manage Azure AD Password Protection for Azure AD and on-premises Windows Server Active Directory from a unified admin experience in the Azure Active Directory portal.
  3. Customize your Azure AD smart lockout settings and specify a list of additional company specific passwords to block.

Why you need Azure AD Password Protection

Banned passwords

Most users think if they have chosen a password that meets a complexity requirement, something like P@$$w0rd1!, they're safe, which is exactly wrong. Attackers know how users create passwords, and there are three general rules to be aware of.
  • They know to account for character substitutions like "$" for "s". "P@$$w0rd" isn't fooling anyone.
  • They also that if there are complexity rules, most people will apply them in the same way: by starting a word with a capital letter and ending the password with a digit or punctuation. (Because of this we've been recommending doing away with complexity rules , and the latest NIST recommendations agree .)
  • They know that requiring users to change their passwords periodically leads to other predictable patterns. For instance, if users have to change their password every quarter, they frequently pick passwords based on sports teams, months or seasons and combine them with the current year.
The fix to all of this is to apply a banned password system when users change their passwords, like Azure AD Password Protection. This is both the NIST recommendation and what we do in the cloud for Microsoft accounts and Azure AD accounts. Today's public preview gives you both the ability to do this in the cloud and on-premises—wherever your users change their passwords—and unprecedented configurability. All this functionality is powered by Azure AD, which regularly updates the databased of banned passwords by learning from billions of authentications and analysis of leaked credentials across the web. By checking all the password set or reset operations for your organization, password protection ensures that only passwords meeting your, and our, standards exist in your directory. Azure AD Password Protection also provides an integrated admin experience to control checks for passwords in your organization, in Azure and on-premises. Please note: Azure AD Premium Password Protection is an Azure AD Premium 1 feature.

Smart Lockout

Smart lockout is our lockout system that uses cloud intelligence to lock out bad actors who are trying to guess your users' passwords. That intelligence can recognize sign-ins coming from valid users and treats those differently than ones that attackers and other unknown sources. This means smart lockout can lock out the attackers while letting your users continue to access their accounts and be productive. Smart lockout is always on for all Azure AD customers with default settings that offer the right mix of security and usability, but you can also customize those settings with the right values for your environment. With banned passwords and smart lockout together, Azure AD password protection ensures your users have hard to guess passwords and bad guys don't get enough guesses to break in. Please note: Azure AD Smart Lockout is included in all versions of Azure AD (including those versions in Office365).

Get started in three simple steps

By default, all Azure AD password set and reset operations for Azure AD Premium users are configured to use Azure AD password protection. To configure a custom list of banned password strings for your organization and to configure Azure AD password protection for Windows Server Active Directory, follow the below simple steps:

Configure the password protection for your tenant

Go to Azure AD Active Directory > Security > Authentication Methods.

Customize your settings

  1. Set your custom smart lockout threshold (number of failures until the first lockout) and duration (how long the lockout period lasts)
  2. Enter the banned password strings for your organization in the textbox provided (one string per line) and turn on enforcement of your custom list
  3. Extend banned password protection to Windows Server Active Directory by enabling password protection in Active Directory. Start with the audit mode, which gives you the opportunity to evaluate the current state in your organization. Once an action plan is finalized, flip the mode to Enforced to start protecting users by preventing any weak passwords being used.

Install the Azure AD password protection proxy and domain controller agents in your on-premises environment.

Download the agents from the download center and use the instructions in the password protection deployment guide . Both the domain controller agent and the proxy agent support silent installation which can be leveraged using various deployment mechanisms like SCCM.

That's it! You're now configured to use Azure AD password protection across Azure AD and on-premises. Take a read through our detailed documentation to learn more about this functionality. As always, we're eager to hear from you! Still have more questions for us? Email aadppfeedback@microsoft.com or join us at the Ask Me Anything Session for Azure AD password protection. We look forward to hearing your feedback! Best regards, Alex Simons (Twitter: @Alex_A_Simons ) Director of Program Management Microsoft Identity Division
37 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-363060%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20and%20Smart%20Lockout%20are%20now%20in%20Public%20Preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-363060%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F160476%22%20target%3D%22_blank%22%3E%40Rohini%20Goyal%3C%2FA%3E%26nbsp%3B%2C%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%20for%20your%20response.%20Can%20I%20please%20clarify%20a%20little%20further%3F%20You%20mentioned%20that%20O365%20E3%20grants%20Azure%20AD%20P1%20privileges.%20This%20seems%20strange%2C%20as%20O365%20E3%20does%20not%20give%20us%20an%20AAD%20P1%20license.%20M365%20E3%20and%20EMS%20E3%20would%2C%20but%20not%20O365%20E3.%20Are%20the%20P1%20privileges%20mentioned%20different%20to%20an%20actual%20license%20in%20this%20case%2C%20i.e.%20the%20O365%20E3%20does%20not%20give%20an%20actual%20license%20but%20is%20suitably%20high%20enough%20to%20enable%20access%20to%20AAD%20P1%20features%20even%20without%20being%20actually%20licensed%20for%20it%3F%3CBR%20%2F%3E%3CBR%20%2F%3EThank%20you%20again%20for%20helping%20me%20with%20this.%20Cheers.%3CBR%20%2F%3E%3CBR%20%2F%3ERegards%2C%3CBR%20%2F%3EChris%20Vella%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-362487%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20and%20Smart%20Lockout%20are%20now%20in%20Public%20Preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-362487%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Chris%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EGreat%20question.%20Having%20an%20O365%20E3%20license%20grants%20you%20Azure%20AD%20P1%20privileges.%20So%20for%20your%20users%20that%20have%20the%20E3%20license%2C%20they're%20effectively%20P1%20users%20in%20AAD.%20Sounds%20like%20all%20your%20users%20have%20either%20an%20E3%20or%20P1%20license%2C%20and%20if%20that's%20the%20case%2C%20you're%20good%20to%20go%20%3A)%3C%2Fimg%3E%20Your%20current%20licensing%20satisfies%20the%20requirements%20to%20use%20Smart%20Lockout%2C%20Banned%20Passwords%2C%20and%20the%20Active%20Directory%20features.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-361251%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20and%20Smart%20Lockout%20are%20now%20in%20Public%20Preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-361251%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Chris%2C%20that's%20a%20good%20question%20and%20I%20honestly%20don't%20know%20the%20answer.%26nbsp%3B%20I've%20forwarded%20the%20question%20to%20some%20other%20folks%20here%20at%20Microsoft%2C%20hopefully%20we%20will%20have%20an%20answer%20posted%20soon.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-360874%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20and%20Smart%20Lockout%20are%20now%20in%20Public%20Preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-360874%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F160485%22%20target%3D%22_blank%22%3E%40Jay%20Simmons%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20I%20just%20confirm%20something%3F%20Half%20our%20organisation%20is%20currently%20licensed%20for%20Azure%20AD%20P1%2C%20but%20the%20others%20are%20only%20O365%20E3.%20If%20I%20implement%20AADPP%20for%20on%20premise%2C%20will%20the%20policies%20successfully%20apply%20across%20all%20users%20without%20issue%3F%20Would%20the%20current%20licensing%20have%20any%20impact%20on%20being%20able%20to%20use%20the%20feature%3F%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20are%20looking%20to%20go%20full%20Azure%20AD%20P1%20in%20the%20near%20future%2C%20but%20just%20happen%20to%20need%20to%20AADPP%20features%20before%20that%20order%20goes%20in.%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%20for%20any%20help.%3CBR%20%2F%3E%3CBR%20%2F%3ERegards%2C%3CBR%20%2F%3EChris%20Vella%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-354677%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20and%20Smart%20Lockout%20are%20now%20in%20Public%20Preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-354677%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Eric%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EA%20password%20change%20is%20what%20happens%20when%20a%20user%20changes%20their%20password%2C%20eg%20they%20use%20their%20current%20password%20to%20log%20into%20Windows%2C%20but%20are%20then%20prompted%20to%20choose%20a%20new%20password.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EA%20password%20set%20(or%20reset)%20is%20what%20happens%20when%20someone%20(usually%20a%20higher-privileged%20account%2C%20eg%20a%20Domain%20Admin)%20decides%20to%20arbitrarily%20replace%20the%20password%20on%20an%20account%20with%20a%20new%20password%2C%20ie%20using%20Powershell%20or%20the%20Active%20Directory%20Users%20and%20Computers%20mgmt%20snapin.%26nbsp%3B%20Usually%20the%20person%20doing%20this%20does%20not%20have%20knowledge%20of%20the%20old%20password.%26nbsp%3B%20You%20will%20also%20see%20%22password%20set%22%20events%20when%20a%20brand%20new%20user%20account%20is%20being%20created%20for%20the%20first%20time.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20hope%20this%20clarifies%20the%20difference%2C%20let%20me%20know%20if%20it%20does%20not.%26nbsp%3B%20And%20I%20will%20add%20these%20descriptions%20to%20the%20docs%2C%20probably%20from%20the%20Azure%20AD%20Password%20Protection%20faq%20topic%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-password-ban-bad-on-premises-faq%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-password-ban-bad-on-premises-faq%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3Ethanks!%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EJay%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-354672%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20and%20Smart%20Lockout%20are%20now%20in%20Public%20Preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-354672%22%20slang%3D%22en-US%22%3E%3CP%3EAlex%20we%20are%20deploying%20this%20and%20we%20ran%20into%20a%20question.%20While%20auditing%20the%20last%204%20days%20of%20events%20we%20see%20a%20not%20insignificant%20amount%20of%26nbsp%3BPasswordChangeAuditOnlyFailures%20as%20well%20less%26nbsp%3BPasswordSetAuditOnlyFailures.%20My%20question%20is%20what%20is%20the%20difference%20between%20a%20Change%20and%20a%20Set%20and%20can%20that%20be%20added%20to%20the%20documentation%20somewhere%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-353110%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20and%20Smart%20Lockout%20are%20now%20in%20Public%20Preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-353110%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Jay%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20getting%20back%20to%20me%20promptly!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENIST%20and%20even%20MS%2C%20recommend%20that%20you%20do%20not%26nbsp%3Bchange%20your%26nbsp%3Bpassword%20frequently%2C%20simply%20due%20to%20the%20fact%20that%20people%20will%20increment%20their%20password%20or%20only%20change%20it%20subtly.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20wouldn't%20want%20to%20enable%20password%20never%20expires%20without%20additional%20tools%20and%20advice%26nbsp%3Bto%20prevent%20users%20from%20entering%20weak%20%5C%20leaked%20passwords%20and%20have%20differing%20policies%20applied%20to%20priv%20accounts.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-353078%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20and%20Smart%20Lockout%20are%20now%20in%20Public%20Preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-353078%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23f8f8f8%3B%20color%3A%20%23333333%3B%20font-family%3A%20'SegoeUI'%2C'Lato'%2C'Helvetica%20Neue'%2CHelvetica%2CArial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EHi%20JD%2C%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23f8f8f8%3B%22%3EThis%20probably%20won't%20be%20a%20surprise%20to%20you%2C%20but%20s%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23f8f8f8%3B%20color%3A%20%23333333%3B%20font-family%3A%20'SegoeUI'%2C'Lato'%2C'Helvetica%20Neue'%2CHelvetica%2CArial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3Eetting%20password-never-expires%20is%20not%20a%20recommended%20security%20best%20practice.%26nbsp%3B%20If%20you%20deploy%20Azure%20AD%20Password%20Protection%20in%20your%20AD%20forest%2C%20it's%20probably%20ok%20to%20increase%20MaxPasswordAge%20by%20some%20factor%20-%20but%20not%20%3CFONT%20style%3D%22background-color%3A%20%23f8f8f8%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSPAN%20style%3D%22background-color%3A%20%23f8f8f8%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20display%3A%20inline%3B%20float%3A%20none%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3Epassword-never-expires%3C%2FSPAN%3E%3C%2FFONT%3E.%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23f8f8f8%3B%22%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23f8f8f8%3B%20color%3A%20%23333333%3B%20font-family%3A%20'SegoeUI'%2C'Lato'%2C'Helvetica%20Neue'%2CHelvetica%2CArial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EGoing%20back%20to%20your%20main%20question%3A%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23f8f8f8%3B%22%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23f8f8f8%3B%20color%3A%20%23333333%3B%20font-family%3A%20'SegoeUI'%2C'Lato'%2C'Helvetica%20Neue'%2CHelvetica%2CArial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%26gt%3B%26gt%3BSo%20having%20differing%20policies%20that%20can%20be%20applied%20to%20a%20subset%20of%20users%20would%20be%20of%20benefit.%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23f8f8f8%3B%22%3ESetting%20password-never-expires%20seems%20orthogonal%20to%20deploying%26nbsp%3B%3CFONT%20style%3D%22background-color%3A%20%23f8f8f8%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSPAN%20style%3D%22background-color%3A%20%23f8f8f8%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20display%3A%20inline%3B%20float%3A%20none%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EAzure%20AD%20Password%20Protection.%26nbsp%3B%20Regardless%20of%20whether%20or%20not%20a%20password%20will%20expire%20or%20not%2C%20it%20is%20still%20a%20good%20idea%20to%20try%20to%20make%20sure%20that%20that%20password%20is%20not%20easily%20guessable.%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23f8f8f8%3B%22%3EI%3CFONT%20style%3D%22background-color%3A%20%23f8f8f8%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSPAN%20style%3D%22background-color%3A%20%23f8f8f8%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20display%3A%20inline%3B%20float%3A%20none%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3Ef%20the%20concern%20here%20is%20that%20those%20users%20who%20do%20NOT%20have%20password-never-expires%20may%20be%20%22upset%22%20by%20being%20forced%20to%20select%20stronger%20passwords%2C%20well%20I%20would%20say%20that%20for%20most%20customers%20this%20is%20considered%20a%20relatively%20minor%20cost%20that%20is%20easily%20accepted%20given%20the%20larger%20security%20benefits.%26nbsp%3B%20If%20those%20users%20are%20highly%20privileged%20such%20as%20Domain%5CEnterprise%20Admins%2C%20then%20this%20is%20even%20more%20true.%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23f8f8f8%3B%22%3E%3CFONT%20style%3D%22background-color%3A%20%23f8f8f8%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSPAN%20style%3D%22background-color%3A%20%23f8f8f8%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20display%3A%20inline%3B%20float%3A%20none%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EJay%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-352933%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20and%20Smart%20Lockout%20are%20now%20in%20Public%20Preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-352933%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Jay%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20going%20to%20enable%20password%20never%20expires%2C%20but%20I%20do%20not%20want%20the%20password%20never%20expires%26nbsp%3Bpolicy%20to%20be%20applied%20to%20our%20Domain%20Admins%20%5C%20Enterprise%20Admins%20etc.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20having%20differing%20policies%20that%20can%20be%20applied%20to%20a%20subset%20of%20users%20would%20be%20of%20benefit.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJD%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-352747%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20and%20Smart%20Lockout%20are%20now%20in%20Public%20Preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-352747%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20JD808717%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESorry%20but%20we%20do%20not%20support%20scoping%20the%20Azure%20AD%20Password%20Protection%20policy%20to%20a%20subset%20of%20users%2C%20whether%20we%20are%20talking%20about%20users%20at%20the%20Azure%20level%20or%20(when%20deployed%20and%20enabled)%20in%20the%20on-premises%20Active%20Directory%20environment.%20%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWith%20respect%20to%20Active%20Directory%20FGPP%2C%20it's%20the%20same%20basic%20answer%3A%20%26nbsp%3B%20AADPP%20will%20always%20be%20in%20effect%20regardless%20of%20whether%20a%20FGPP%20policy%20is%20in%20effect%20for%20a%20given%20user%20account%20or%20not.%20%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20see%20this%20answer%20and%20have%20time%20to%20reply%2C%20I%20wouldn't%20mind%20hearing%20the%20reasons%20that%20you%20think%20downgrading%20password%20security%20levels%20for%20some%20of%20your%20users%20is%20a%20good%20idea%20(honest%20question%20%3A)).%20%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ethx%2C%3C%2FP%3E%0A%3CP%3EJay%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-352397%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20and%20Smart%20Lockout%20are%20now%20in%20Public%20Preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-352397%22%20slang%3D%22en-US%22%3E%3CP%3ERohini%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewe%20are%20part%20of%20a%20MS%20EA%20agreement%20and%20though%20use%20a%20basic%20license%20with%20AD.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20intention%20is%20to%20change%20settings%20for%20customers%20that%20sign%20up%20with%20'our'%20B2C%20AD...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20regards%2C%3C%2FP%3E%3CP%3EChristopher%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-343781%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20and%20Smart%20Lockout%20are%20now%20in%20Public%20Preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-343781%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20think%20I%20know%20the%20answer%20to%20this%20already.%20Is%20there%20the%20functionality%20to%20allow%20for%20multiple%20policies%20to%20be%20applied%20to%20different%20user%20accounts%3F%20I%20am%20looking%20to%20propose%20password%20never%20expires%20for%20non%20privileged%20accounts%20and%20enforce%20%22secure%22%20passwords%2C%20preferably%20passphrases%20to%20be%20used.%20I%20know%20tools%20like%20Thycotic%2C%20Manage%20Engine%20etc%2C%20have%20varying%20policies%20available.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20were%20to%20use%20MS%20ADPP%2C%20would%20I%20still%20be%20reliant%20on%20FGPP%20for%20unique%20policies%20for%20PRIV%20accounts%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJD%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-327671%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20and%20Smart%20Lockout%20are%20now%20in%20Public%20Preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-327671%22%20slang%3D%22en-US%22%3E%3CP%3EChristopher%2C%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou're%20right%2C%20by%20tenant%20admin%20I%20meant%20global%20admin%2C%20so%20the%20blade%20should%20be%20visible%20to%20him.%20What%20license%20are%20you%20using%3F%20You%20mentioned%20B2C.%20Is%20your%20global%20admin%20trying%20to%20change%20the%20settings%20for%20the%20end%20consumer%3F%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-327555%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20and%20Smart%20Lockout%20are%20now%20in%20Public%20Preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-327555%22%20slang%3D%22en-US%22%3E%3CP%3ERobert%2C%20trust%20me%20we're%20working%20on%20it.%26nbsp%3B%20Should%20be%20go%20GA%20this%20quarter%20(before%20end%20of%20March).%20%26nbsp%3B%20Thank%20you%20for%20the%20interest%20though%20-%20really%20appreciate%20hearing%20that.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-327554%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20and%20Smart%20Lockout%20are%20now%20in%20Public%20Preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-327554%22%20slang%3D%22en-US%22%3E%3CP%3EAmy%2C%20the%20answer%20is%20no.%26nbsp%3B%20If%20you%20enable%20the%20custom%20list%20it%20augments%20the%20Microsoft-maintained%20global%20list.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-327454%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20and%20Smart%20Lockout%20are%20now%20in%20Public%20Preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-327454%22%20slang%3D%22en-US%22%3E%3CP%3EPlease%20go%20GA.%20has%20testing%20not%20completed%3F%20I%20cant%20put%20non%20GA%20services%20into%20our%20Prod%20environment...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-327448%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20and%20Smart%20Lockout%20are%20now%20in%20Public%20Preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-327448%22%20slang%3D%22en-US%22%3E%3CP%3EQuick%20question.%20If%20I%20enable%20the%20custom%20list%20is%20it%20going%20to%20disable%20the%20default%20list%20that%20you%20are%20providing%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-324177%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20and%20Smart%20Lockout%20are%20now%20in%20Public%20Preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-324177%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Rohini%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Egreat%20news!%20Thanks%20for%20clarifying%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20specific%20right%20neccessary%20for%20changing%20the%20lockout%20duration%3F%20Because%20our%20collegue%2C%20who%20is%20responsible%20for%20the%20B2C%20settings%2C%20is%20not%20able%20to%20change%20settings%20regarding%20the%20'Password%20protection'%20topic.%20You%20mentioned%20the%20'tenant%20admin'%20-%20he%20is%20'global%20admin'%20-%20I%20can%20not%20see%20a%20difference%20from%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fdirectory-assign-admin-roles%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fdirectory-assign-admin-roles%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESorry%2C%20to%20bother%20you%20once%20more.%3C%2FP%3E%3CP%3EThanks%2C%20Christopher%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%222%22%3E%3CEM%3EUpdate%3A%20Screenshot%20slightly%20modified...%2002-18-2019%3C%2FEM%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F83447i5E087F84653D2D91%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Azure%20Auth.jpg%22%20title%3D%22Azure%20Auth.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-324125%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20and%20Smart%20Lockout%20are%20now%20in%20Public%20Preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-324125%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Christopher%2C%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E1)%20We%20apologize%20for%20the%20confusion.%20Password%20Protection%20for%20cloud%20authentications%20requires%20any%20paid%20license.%20If%20you%20would%20like%20to%20have%20banned%20password%20support%20on%20your%20on-premise%20active%20directory%2C%20you%20need%20a%20premium%20license.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E2)%20Great%20question.%20It%20is%20in%20fact%20on%20for%20%3CEM%3Eeveryone%3C%2FEM%3E%20already%2C%20regardless%20of%20license%20and%20GA.%20All%20users%20are%20under%20the%20default%20setting%20of%2010%20failed%20sign-in%20attempts%20-%26gt%3B%2060%20second%20lockout%20period%2C%20unless%20a%20tenant%20admin%20has%20configured%20the%20settings%20themselves.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E3)%20Configuring%20lockout%20only%20requires%20any%20paid%20license.%20A%20premium%20license%20is%20not%20necessary%20-%20an%20AAD%20basic%20license%20will%20do.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPlease%20let%20me%20know%20if%20you%20have%20any%20other%20questions.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-320826%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20and%20Smart%20Lockout%20are%20now%20in%20Public%20Preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-320826%22%20slang%3D%22en-US%22%3E%3CP%3EInteresting%20feature%20at%20all.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1)%20Might%20I%20ask%20whether%20there%20is%20a%20difference%20between%20'AD%20Password%20Protection'%20and%20'AD%20Premium%20Password%20Protection'%3F%20Most%20of%20the%20time%20you%20refer%20to%20'Password%20Protection'%2C%20but%20then%20it%20says%20'%3CEM%3EPlease%20note%3A%20Azure%20AD%20Premium%20Password%20Protection%20is%20an%20Azure%20AD%20Premium%201%20feature.%3C%2FEM%3E'%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2)%20Regarding%20the%20'Smart%20Lockout'%20you%20say%20'%3CSPAN%3Eis%20always%20on%20for%20all%20Azure%20AD%20customers%20with%20default%20settings'%20-%20does%20this%20mean%20it%20is%20on%20right%20now%20or%20starting%20with%20GA%3F%20And%20is%20it%20on%20only%20for%20customers%20with%20premium%20license%2C%20or%20really%20all%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E3)%20We%20are%20interested%20in%20a%20more%20restricted%20lockout%20(10%20minutes%20instead%20of%20around%201).%20If%20this%20is%20the%20only%20thing%20we%20want%20to%20configure%2C%20do%20we%20need%20to%20have%20a%20premium%20license%20for%20all%20of%20our%20AD%20users%20or%20is%20this%26nbsp%3Bincluded%20in%20B2C%20basically%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThank%20you.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-309606%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20and%20Smart%20Lockout%20are%20now%20in%20Public%20Preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-309606%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20this%20feature%26nbsp%3Benabled%20by%20default%20of%20Office%20365%20cloud%20tenants%3F%20I've%20just%20had%20a%20user%20report%20they've%20got%20the%26nbsp%3Berror%26nbsp%3B%22%3CSPAN%3EChoose%20a%20password%20that%E2%80%99s%20harder%20for%20people%20to%20guess%3C%2FSPAN%3E%22.%20I've%20not%20enabled%20this%20feature%26nbsp%3Bmyself%20and%26nbsp%3Bthey%20don't%20current%20use%20self-service%20password%20resets.%26nbsp%3BWe%20did%20enable%20it%20once%20but%20that%20caused%20everyone%20to%20get%20the%20prompt%20about%20additional%20authentication%20methods%20which%20we%20weren't%20ready%20for%20so%20turned%20it%20off%20again.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELater...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EActually%20we%26nbsp%3B%3CEM%3Edo%3C%2FEM%3E%20have%20self-service%20password%20reset%20enabled%20but%20only%20for%26nbsp%3Bthree%20test%26nbsp%3Busers.%20Does%20the%20code%20take%20this%20into%20account%20when%20checking%20the%20password%20like%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIF%20(self-service%26nbsp%3Bpassword%20enabled)%20AND%20(all%20users%20OR%20user%20is%20in%20the%20group)%20THEN%20check%20for%20common%20word%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-294849%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20and%20Smart%20Lockout%20are%20now%20in%20Public%20Preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-294849%22%20slang%3D%22en-US%22%3E%3CP%3ECorey%20-%26nbsp%3BWe%20would%20love%20to%20help%20you%20resolve%20this%20issue.%20Can%20you%20please%20email%26nbsp%3B%3CU%3E%3CFONT%20color%3D%22%230b0117%22%3E%3CA%20href%3D%22mailto%3Aaadppfeedback%40microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Eaadppfeedback%40microsoft.com%3C%2FA%3E%26nbsp%3B%3C%2FFONT%3E%3C%2FU%3E%3CFONT%20color%3D%22%230b0117%22%3E%20with%20the%20above%20problem%20and%20we%20can%20setup%20a%20call%20to%20help%20identify%20where%20the%20problem%20is.%20Do%20you%20have%20banned%20passwords%20deployed%20on%20your%20DCs%20as%20well%3F%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-294373%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20and%20Smart%20Lockout%20are%20now%20in%20Public%20Preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-294373%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20implemented%20the%20Azure%20AD%20Password%20Protection%2C%20and%20it%20has%20completely%20broken%20our%20ability%20to%20do%20self-service%20password%20reset%20with%20password%20hash%20sync%20and%20writeback%20to%20AD%20through%20Azure%20AD%20connect.%20For%20the%20passwordreset.microsoftonline.com%20site%20or%20the%20%22Forgot%20my%20password%22%20link%20-%20no%20matter%20how%20complex%20or%20long%20of%20a%20password%20our%20users%20use%2C%20it%20always%20complains%20about%20not%20enough%20complexity.%20This%20is%20affecting%20every%20user.%20What%20could%20we%20be%20missing%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-292333%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20and%20Smart%20Lockout%20are%20now%20in%20Public%20Preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-292333%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Callum%20-%20on%20your%20first%20question%2C%20the%20current%20licensing%20requirement%20is%20that%20all%20users%20being%20synchronized%20to%20Azure%20AD%20must%20have%20a%20premium%20license.%26nbsp%3B%26nbsp%3B%20The%20onpremises%20security%20benefits%20of%20AADPP%20are%20still%20applied%20though%20for%20all%20other%20onpremises%20users%20that%20are%20not%20being%20synchronized.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOn%20your%20second%20question%2C%20changes%20to%20either%20the%20global%20or%20per-tenant%20banned%20password%20lists%20are%20not%20immediately%20pushed%20down%20to%20the%20onpremises%20agents%20(ie%2C%20the%20DC%20agents%20running%20on%20your%20DCs).%26nbsp%3B%26nbsp%3B%20Instead%2C%20the%20current%20design%20uses%20a%20polling%20model%20where%20(usually)%20one%20DC%20per%20domain%20will%20poll%20Azure%20for%20the%20latest%20policy%20(banned%20password%20lists)%20once%20per%20hour.%26nbsp%3B%26nbsp%3B%20This%20frequency%20is%20just%20a%20reasonable%20balance%20since%20usually%20neither%20list%20(global%20or%20per-tenant)%20is%20being%20changed%20anywhere%20near%20that%20often.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPlease%20feel%20free%20to%20contact%20me%20offline%20if%20you%20have%20further%20questions.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-292329%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20and%20Smart%20Lockout%20are%20now%20in%20Public%20Preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-292329%22%20slang%3D%22en-US%22%3E%3CP%3ELonnard%3A%26nbsp%3B%26nbsp%3B%20on%20your%20password%20examples%2C%20be%20aware%20that%20the%20current%20algorithm%20does%20take%20into%20account%20complexity%20that%20is%20present%20even%20once%20a%20banned%20token%20is%20detected.%26nbsp%3B%26nbsp%3B%26nbsp%3B%20In%20your%20example%2C%20%22frogs%22%20was%20detected%20but%20%221234%22%20gave%20it%20enough%20extra%20complexity%20to%20allow%20it%20to%20be%20accepted.%26nbsp%3B%26nbsp%3B%20The%20algorithm%20tries%20to%20strike%20a%20balance%20between%20security%20and%20usability%20in%20this%20regard.%26nbsp%3B%20The%20algorithm%20is%20tuned%20fairly%20often%20so%20nothing%20should%20be%20regarded%20as%20set%20in%20stone.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOn%20your%20lockout%20issues%2C%20I%20am%20not%20aware%20of%20any%20potential%20interaction%20between%20onpremises%20Azure%20AD%20Password%20Protection%20DC%20agents%20and%20the%20Default%20Domain%20policy%20-%20from%20AD's%20perspective%2C%20AADPP%20is%20just%20another%20installed%20password%20filter%20dll.%26nbsp%3B%26nbsp%3B%20Would%20you%20please%20contact%20me%20offline%20so%20I%20can%20get%20a%20few%20more%20details%20from%20you%20on%20this%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-291373%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20and%20Smart%20Lockout%20are%20now%20in%20Public%20Preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-291373%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Alex%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20a%20great%20feature.%26nbsp%3BSome%20queries%20though%3B%3C%2FP%3E%3CP%3E1.%20If%20we%20only%20have%20one%20account%20with%20an%20Azure%20AD%20prem%20licence%26nbsp%3Bdoes%20activating%20'Enforce%20custom%20list'%20only%20apply%20to%20that%20one%20particular%20user%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22%3CSPAN%3Eupdates%20the%20databased%20of%20banned%20passwords%20by%20learning%20from%20billions%20of%20authentications%20and%20analysis%20of%20leaked%20credentials%20across%20the%20web.%20By%20checking%20all%20the%20password%20set%20or%20reset%20operations%20for%20your%20organization%2C%20password%20protection%20ensures%20that%20only%20passwords%20meeting%20your%2C%20and%20our%2C%20standards%20exist%20in%20your%20directory.%26nbsp%3B%22%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E2.%20How%20exactly%20do%20we%20connect%20with%20this%20'databased%20of%20banned%20passwords'%20does%20it%20happen%20automatically%20the%20moment%20we%20enable%20'Enforce%20custom%20list'%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EMany%20thanks%2C%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-290538%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20and%20Smart%20Lockout%20are%20now%20in%20Public%20Preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-290538%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3BAnother%20problem%20has%20surfaced.%20I%20am%20investigating%20the%20environment%2C%20but%20this%20seems%20to%20interfer%20with%20account%20lockouts.%20We%20have%20the%20default%20password%20policy%20set%20to%2010%20attempts.%20We%20notice%20that%20once%20we%20get%20to%206%20attempts%2C%20there%20is%20a%20delay%20of%2030%20seconds%20before%20allowing%20us%20further%20logon%20attempts.%20This%20appears%20to%20reset%20the%20count%20and%20therefore%20the%20threshold%20of%2010%20attampts%20is%20never%20reached.%20I%20set%20the%20Smart%20lockout%20threshold%20in%20Azure%20to%2012.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMore%20to%20this%2C%20no%20matter%20what%20thresholds%20are%20set%20in%20Smart%20Lockout%20or%20on-premises%20Default%20Domain%20Policy%2C%20on-prem%20user%20accounts%20will%20never%20get%20locked%20out%20once%20agents%20are%20installed%20on%20domain%20controllers.%20We%20disabled%20all%20agents%20and%20now%20the%20Default%20Domain%20Policy%20takes%20effect%20again.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-290536%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20and%20Smart%20Lockout%20are%20now%20in%20Public%20Preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-290536%22%20slang%3D%22en-US%22%3E%3CP%3EHere%20is%20what%20I%20have%20found.%20If%20your%20on-premises%20GPO%20dictates%208%20minimum%20characters%2C%20then%20the%20words%20in%20banned%20passowrd%20list%20but%20span%20at%20least%205%20character%20os%20the%20password%20in%20order%20for%20it%20to%20show%20as%20bad.%20e.g.%20say%20you%20add%20the%20word%20%22frogs%22.%20If%20you%20enter%20123frogs%20it%20will%20be%20rejected.%20But%20if%20you%20enter%201234frogs%2C%20it%20will%20be%20accepted%20because%20the%20banned%20word%20only%20covers%20the%20last%20four%20required%20characters.%26nbsp%3B%20Also%2C%20it%20states%20the%20words%20must%20be%20at%20least%204%20characters.%20So%20if%20we%20add%20%22frog%22%2C%20this%20word%20will%20never%20be%20rejected%20because%20it%20will%20only%20ever%20span%20half%20the%20required%20password%20length.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMore%20curious%20results.%20I%20added%20a%207%20character%20word%20in%20the%20custom%20list%20%22%3CSPAN%3Epapanui%22.%20I%20was%20not%20able%20to%20use%26nbsp%3Bpapanui1%2C%26nbsp%3Bpapanui12%2C%26nbsp%3Bpapanui123%2C%20but%20I%20was%20able%20to%20use%26nbsp%3Bpapanui1234.%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-276937%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20and%20Smart%20Lockout%20are%20now%20in%20Public%20Preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-276937%22%20slang%3D%22en-US%22%3E%3CP%3EAre%20there%20any%20reporting%20ability%20tied%20to%20this%20yet%3F%20Would%20like%20to%20see%20trends%20and%20problem%20accounts%20for%20remediation.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-264786%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20and%20Smart%20Lockout%20are%20now%20in%20Public%20Preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-264786%22%20slang%3D%22en-US%22%3E%3CP%3EWe're%20still%20working%20on%20the%20final%20plan%2C%20but%20probably%20won't%20be%20GA%20until%20Q1%20CY19.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-253469%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20and%20Smart%20Lockout%20are%20now%20in%20Public%20Preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-253469%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F53477%22%20target%3D%22_blank%22%3E%40Alex%20Simons%20(AZURE)%3C%2FA%3E%26nbsp%3BAny%20idea%20when%20this%20is%20going%20to%20come%20out%20of%20preview%3F%20We%20want%20to%20roll%20out%20after%20testing%26nbsp%3Bin%20the%20lab%20since%20June%26nbsp%3Bbut%20have%20policies%20against%20installing%20preview%20software%20in%20a%20prod%20environment.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-415258%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20and%20Smart%20Lockout%20are%20now%20in%20Public%20Preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-415258%22%20slang%3D%22en-US%22%3EI'm%20not%20sure%20of%20the%20position%20of%20AAD%20SmartLockout%20vs%20ADFS%20Extranet%20Smart%20Lockout%20%3F%20Could%20someone%20details%20the%20benefits%20vs%20ESL%20%3F%20thanks%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-392625%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20and%20Smart%20Lockout%20are%20now%20in%20Public%20Preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-392625%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F160476%22%20target%3D%22_blank%22%3E%40Rohini%20Goyal%3C%2FA%3E%26nbsp%3B%2C%3CBR%20%2F%3E%3CBR%20%2F%3EAny%20chance%20of%20getting%20a%20response%20to%20the%20above%3F%20Otherwise%2C%20is%20there%20someone%20that%20I%20may%20be%20able%20to%20make%20contact%20with%20to%20clarify%20specifically%3F%20Thanks.%26nbsp%3B%3C%2FP%3E%3CP%3E%3CBR%20%2F%3ERegards%2C%3CBR%20%2F%3EChris%20Vella%3CBR%20%2F%3E%3CBR%20%2F%3EEdit%3A%20Now%20that%20the%20products%20are%20GA%20the%20licensing%20has%20been%20clarified%20to%20require%20an%20Azure%20AD%20P1%20or%20greater.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-638754%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20and%20Smart%20Lockout%20are%20now%20in%20Public%20Preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-638754%22%20slang%3D%22en-US%22%3E%3CP%3EWe're%20getting%20ready%20to%20go%20live%20with%20Azure%20AD%20Password%20Protection.%26nbsp%3B%20I%20have%20some%20questions%20related%20to%20rollout%20strategy.%26nbsp%3B%20It%20seems%20as%20if%20this%20feature%20is%20either%20on%20or%20off%2C%20there's%20not%20really%20a%20great%20way%20for%20a%20phased%20deployment%20(other%20than%20installing%20on%20just%20a%20subset%20of%20Domain%20Controllers).%26nbsp%3B%20But%20that%20isn't%20a%20great%20option%20since%20you%20can't%20control%20which%20DC%20a%20user%20gets%20directed%20to%20for%20a%20password%20change.%3C%2FP%3E%3CP%3EOur%20on-premise%20Group%20Policy%20for%20password%20complexity%20is%20as%20follows%3A%3C%2FP%3E%3CUL%3E%3CLI%3ECannot%20contain%20name%20and%2For%20username%3C%2FLI%3E%3CLI%3E8%20character%20minimum%3C%2FLI%3E%3CLI%3EMust%20use%203%20of%20the%20following%204%20requirements%3CUL%3E%3CLI%3EUppercase%20letters%3C%2FLI%3E%3CLI%3ELowercase%20letters%3C%2FLI%3E%3CLI%3EBase%2010%20digit%3C%2FLI%3E%3CLI%3ESpecial%20character%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3CLI%3EPassword%20age%20limit%20%3D%20105%20days%20(at%20which%20point%20they%20must%20change%20their%20password)%3C%2FLI%3E%3C%2FUL%3E%3CP%3EWe%20would%20like%20to%20change%20our%20policy%20as%20follows%20(everything%20not%20listed%20below%20will%20remain%20the%20same%20as%20what's%20listed%20above)%3A%3C%2FP%3E%3CUL%3E%3CLI%3E10%20character%20minimum%3C%2FLI%3E%3CLI%3EMust%20use%204%20of%204%20requirements%20(upper%2C%20lower%2C%20base%2010%2C%20special%20char)%3C%2FLI%3E%3CLI%3EPassword%20age%20limit%20%3D%200%20(passwords%20no%20longer%20expire%2C%20per%20recommendation%20from%20Microsoft)%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20currently%20have%20AADPP%20enabled%20in%20Audit%20Only%20mode.%26nbsp%3B%20Once%20we%20flip%20the%20switch%20to%20Enforce%2C%20what%20can%20we%20expect%3F%26nbsp%3B%20Will%20users%20with%20weak%20and%2For%20banned%20passwords%20be%20prompted%20to%20change%20their%20password%20immediately%3F%26nbsp%3B%20Since%20we%20are%20changing%20from%20%22Passwords%20expire%20every%20105%20days%22%20to%20%22Passwords%20never%20expire%22%2C%20how%20can%20we%20effectively%20roll%20this%20feature%20out%20to%20the%20masses%2C%20and%20get%20them%20to%20set%20a%20stronger%20password%3F%3C%2FP%3E%3CP%3EWe%20need%20this%20to%20have%20a%20little%20disruption%20as%20possible%20because%2C%20as%20we%20all%20know%2C%20updating%20your%20password%20can%20be%20a%20disruptive%20event%3B%20especially%20for%20a%20mobile%20workforce.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20documentation%20doesn't%20really%20have%20much%20guidance%20on%20what%20to%20expect%20once%20you%20go%20live%2C%20and%20doesn't%20give%20any%20recommendations%20on%20how%20to%20enable%20the%20feature%20while%20switching%20the%20on-premise%20group%20policy%20to%20no%20longer%20expire%20passwords.%26nbsp%3B%20Do%20you%20have%20any%20guidance%20or%20suggestions%20to%20help%20with%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-638851%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20and%20Smart%20Lockout%20are%20now%20in%20Public%20Preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-638851%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F347595%22%20target%3D%22_blank%22%3E%40Junior049%3C%2FA%3E%20%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20you%20describe%2C%20it's%20a%20bit%20painful%20to%20produce%20a%20deterministic%20phased%20outcome%20when%20it%20comes%20to%20rolling%20a%20password%20change%20across%20your%20entire%20user%20base.%20Flipping%20the%20switch%20from%20Audit%20to%20Enforce%20has%20no%20effect%20on%20the%20expiration%20time%20of%20the%20existing%20passwords%20in%20your%20directory.%20Azure%20AD%20Password%20Protection%20does%20not%20attempt%20to%20influence%20or%20control%20password%20expiration%20times.%26nbsp%3B%26nbsp%3B%20So%20the%20only%20time%20the%20new%20Enforce%20mode%20actually%20has%20any%20impact%20or%20effect%20is%20when%20a%20user%20changes%20their%20password.%20%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%E2%80%99d%20suggest%20taking%20a%20look%20at%20the%20expiration%20time%20distribution%20of%20the%20currently%20stored%20passwords%20of%20your%20users.%20While%20there%20may%20be%20some%20clustering%20on%20certain%20days%20of%20the%20week%20(eg%2C%20Mondays)%20I%20would%20expect%20a%20fairly%20even%20distribution%20of%20expected%20pwd%20expirations%20across%20your%20current%20105%20day%20expiration%20window.%20With%20that%20in%20mind%2C%20one%20approach%20would%20be%20to%20flip%20to%20Enforce%20but%20leave%20your%20105%20days%20max-pwd-age%20policy%20as-is.%26nbsp%3B%26nbsp%3B%20You%20would%20then%20simply%20wait%20out%20the%20subsequent%20105%20days%20as%20the%20users%20change%20their%20passwords%20day-by-day%20and%20week-by-week.%20There%20will%20likely%20be%20some%20non-zero%20extra%20support%20costs%20during%20this%20time%20as%20users%20find%20that%20their%20favorite%20weak%20passwords%20are%20now%20getting%20rejected.%26nbsp%3B%26nbsp%3B%20(At%20least%20the%20support%20costs%20are%20spread%20out%20across%20time%20though.)%26nbsp%3B%26nbsp%3B%20At%20the%20end%20of%20that%20105%20days%20%E2%80%93%20ie%2C%20after%20all%20your%20users%20have%20gone%20through%20at%20least%20one%20password%20change%20with%20Enforce%20enabled%20%E2%80%93%20you%20can%20then%20change%20max-pwd-age%20to%20the%20new%20desired%20(longer)%20period.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20waiting%20105%20days%20is%20too%20long%2C%20then%20you%20can%20drive%20things%20faster%20with%20a%20bit%20more%20work%3A%20first%20flip%20to%20Enforce%20mode%2C%20then%20manually%20set%20the%20%E2%80%9CUser%20must%20change%20password%20at%20next%20logon%E2%80%9D%20flag%20on%20a%20selected%20set%20of%20accounts%20every%20day%20or%20every%20week.%26nbsp%3B%26nbsp%3B%20This%20approach%20will%20still%20incur%20some%20level%20of%20expected%20increased%20support%20costs%20of%20course.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%E2%80%99m%20not%20sure%20how%20the%20%E2%80%9Cmobile%E2%80%9D%20aspect%20of%20your%20user%20base%20affects%20this%20discussion%20%E2%80%93%20it%20sounds%20like%20you%E2%80%99ve%20already%20trained%20your%20users%20to%20change%20their%20passwords%20every%20105%20days%2C%20so%20if%20you%20choose%20to%20force%20them%20to%20change%20early%20that%20should%20not%20be%20a%20never-before-seen%20event%2C%20even%20for%20mobile%20users.%26nbsp%3B%26nbsp%3B%20Please%20clarify%20if%20I%E2%80%99ve%20misunderstood%20some%20part%20of%20the%20mobile%20aspect.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20other%20thing%20we%E2%80%99ve%20recommended%20is%20some%20level%20of%20pre-education%20of%20users%20before%20you%20flip%20to%20Enforce%20mode.%26nbsp%3B%26nbsp%3B%20I%E2%80%99ll%20admit%20I%20don%E2%80%99t%20have%20any%20data%20that%20would%20say%20how%20effective%20such%20education%20might%20be%2C%20but%20a%20broad%20company-wide%20%E2%80%9Cheads-up%20about%20upcoming%20stricter%20password%20enforcement%E2%80%9D%20email%20might%20help%20to%20reduce%20support%20costs%20(and%20I%20don't%20see%20how%20it%20could%20hurt).%26nbsp%3B%26nbsp%3B%20We%20have%20some%20previously%20published%20guidance%20here%3A%26nbsp%3B%26nbsp%3B%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fresearch%2Fpublication%2Fpassword-guidance%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20Password%20Guidance%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnyway%2C%20these%20are%20just%20some%20approaches%20I%20came%20up%20with%20off%20the%20top%20of%20my%20head.%26nbsp%3B%26nbsp%3B%20I%20know%20AADPP%20doesn%E2%80%99t%20do%20anything%20specifically%20to%20assist%20in%20the%20rollout%2C%20but%20on%20the%20other%20hand%20you%20can%20already%20control%20most%20of%20the%20rollout%20timing%20using%20existing%20Active%20Directory%20tooling.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20hope%20this%20helps%2C%3C%2FP%3E%0A%3CP%3EJay%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-641897%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20and%20Smart%20Lockout%20are%20now%20in%20Public%20Preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-641897%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Jay%2C%20this%20is%20helpful!%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegarding%20the%20challenges%20with%20mobile%20users%2C%20I%20was%20just%20referring%20to%20how%20disruptive%20a%20password%20change%20event%20can%20be.%26nbsp%3B%20It's%20bad%20enough%20when%20a%20user%20is%20on-prem%3B%20change%20password%2C%20true-up%20your%20MFA%20with%20all%20the%20O365%20resources%2C%20update%20password%20on%20all%20your%20mobile%20devices%2C%20true-up%20MFA%20on%20those%2C%20etc.%26nbsp%3B%20If%20a%20user%20is%20remote%20they%20have%20to%20follow%20very%20specific%20steps%20in%20the%20proper%20sequence%20when%20updating%20their%20password%2C%20in%20order%20to%20ensure%20their%20computer%20receives%20the%20updated%20credential%20and%20updates%20their%20offline%20profile%20accordingly.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUpdating%20your%20password%20has%20just%20becoming%20increasingly%20difficult%20for%20non-technical%20employees%20now%20that%20their%20data%20and%20resources%20they%20access%20is%20mixed%20between%20on-prem%20and%20the%20cloud%2C%20many%20of%20them%20have%20multiple%20mobile%20devices%2C%20then%20throw%20in%20MFA%2C%20SSO%20and%20maybe%20a%20VPN%20and%20they%20tend%20to%20get%20confused.%26nbsp%3B%26nbsp%3B%3CIMG%20id%3D%22smileylol%22%20class%3D%22emoticon%20emoticon-smileylol%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fi%2Fsmilies%2F16x16_smiley-lol.png%22%20alt%3D%22Smiley%20LOL%22%20title%3D%22Smiley%20LOL%22%20%2F%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20again%20for%20the%20guidance!%26nbsp%3B%20These%20a%20good%20suggestions%20which%20will%20help%20with%20our%20upcoming%20enforcement%20of%20Azure%20AD%20Password%20Protection!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-652985%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20and%20Smart%20Lockout%20are%20now%20in%20Public%20Preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-652985%22%20slang%3D%22en-US%22%3E%3CP%3ESame%20question%20as%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F295906%22%20target%3D%22_blank%22%3E%40Chris_Vella%3C%2FA%3E%26nbsp%3B%20%2C%20we%20have%20a%20mixture%20of%20licenses%20in%20our%20tenant.%20Majority%20are%20Office%20365%20E3%20users%20and%20a%20subset%20of%20users%20have%20an%20EMS%20E3%20license.%20Can%20a%20single%20EMS%20E3%20license%20satisfy%20the%20requirements%20for%20ALL%20USERS%20to%20use%20Azure%20AD%20password%20protection%20for%20a%20hybrid%20environment%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-245423%22%20slang%3D%22en-US%22%3EAzure%20AD%20Password%20Protection%20and%20Smart%20Lockout%20are%20now%20in%20Public%20Preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-245423%22%20slang%3D%22en-US%22%3E%0A%20%26lt%3Bmeta%20http-equiv%3D%22Content-Type%22%20content%3D%22text%2Fhtml%3B%20charset%3DUTF-8%22%20%2F%26gt%3B%3CSTRONG%3EFirst%20published%20on%20CloudBlogs%20on%20Jun%2C%2019%202018%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%20Howdy%20folks%2C%3CP%3EMany%20of%20you%20know%20that%20unfortunately%2C%20all%20it%20takes%20is%20one%20weak%20password%20for%20a%20hacker%20to%20get%20access%20to%20your%20corporate%20resources.%20Hackers%20can%20often%20guess%20passwords%20because%20regular%20users%20are%20pretty%20predictable.%20Regular%20users%20create%20easy%20to%20remember%20passwords%2C%20and%20they%20reuse%20the%20same%20passwords%20or%20closely%20related%20ones%20over%20and%20over%20again.%20Hackers%20use%20brute%20force%20techniques%20like%20password%20spray%20attacks%20to%20discover%20and%20compromise%20accounts%20with%20common%20passwords%2C%20an%20attack%20pattern%20%3CA%20href%3D%22https%3A%2F%2Fcloudblogs.microsoft.com%2Fenterprisemobility%2F2018%2F03%2F05%2Fazure-ad-and-adfs-best-practices-defending-against-password-spray-attacks%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%20we%20told%20you%20about%20back%20in%20March%20%3C%2FA%3E%20.%3C%2FP%3E%0A%20%20%3CP%3ESo%20today%20I'm%20really%20excited%20to%20announce%20the%20public%20preview%20of%20Azure%20AD%20Password%20Protection%20and%20Smart%20Lockout.%20Azure%20AD%20Password%20Protection%20helps%20you%20eliminate%20easily%20guessed%20passwords%20from%20your%20environment%2C%20which%20can%20dramatically%20lower%20the%20risk%20of%20being%20compromised%20by%20a%20password%20spray%20attack.%20Specifically%2C%20these%20features%20let%20you%3A%3C%2FP%3E%0A%20%20%3COL%3E%0A%20%20%20%3CLI%3E%3CDIV%3EProtect%20accounts%20in%20Azure%20AD%20and%20Windows%20Server%20Active%20Directory%20by%20preventing%20users%20from%20using%20passwords%20from%20a%20list%20of%20more%20than%20500%20of%20the%20most%20commonly%20used%20passwords%2C%20plus%20over%201%20million%20character%20substitution%20variations%20of%20those%20passwords.%3C%2FDIV%3E%0A%20%20%20%3C%2FLI%3E%0A%20%20%20%3CLI%3E%3CDIV%3EManage%20Azure%20AD%20Password%20Protection%20for%20Azure%20AD%20and%20on-premises%20Windows%20Server%20Active%20Directory%20from%20a%20unified%20admin%20experience%20in%20the%20Azure%20Active%20Directory%20portal.%3C%2FDIV%3E%0A%20%20%20%3C%2FLI%3E%0A%20%20%20%3CLI%3E%3CDIV%3ECustomize%20your%20Azure%20AD%20smart%20lockout%20settings%20and%20specify%20a%20list%20of%20additional%20company%20specific%20passwords%20to%20block.%3C%2FDIV%3E%0A%20%20%20%3C%2FLI%3E%0A%20%20%3C%2FOL%3E%0A%20%20%3CH2%20id%3D%22toc-hId-1703031311%22%20id%3D%22toc-hId-1703031311%22%3EWhy%20you%20need%20Azure%20AD%20Password%20Protection%3C%2FH2%3E%0A%20%20%3CH3%20id%3D%22toc-hId--1045639155%22%20id%3D%22toc-hId--1045639155%22%3EBanned%20passwords%3C%2FH3%3EMost%20users%20think%20if%20they%20have%20chosen%20a%20password%20that%20meets%20a%20complexity%20requirement%2C%20something%20like%20P%40%24%24w0rd1!%2C%20they're%20safe%2C%20which%20is%20exactly%20wrong.%20Attackers%20know%20how%20users%20create%20passwords%2C%20and%20there%20are%20three%20general%20rules%20to%20be%20aware%20of.%3CUL%3E%0A%20%20%20%3CLI%3EThey%20know%20to%20account%20for%20character%20substitutions%20like%20%22%24%22%20for%20%22s%22.%20%22P%40%24%24w0rd%22%20isn't%20fooling%20anyone.%3C%2FLI%3E%0A%20%20%20%3CLI%3EThey%20also%20that%20if%20there%20are%20complexity%20rules%2C%20most%20people%20will%20apply%20them%20in%20the%20same%20way%3A%20by%20starting%20a%20word%20with%20a%20capital%20letter%20and%20ending%20the%20password%20with%20a%20digit%20or%20punctuation.%20(Because%20of%20this%20we've%20been%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fresearch%2Fpublication%2Fpassword-guidance%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%20recommending%20doing%20away%20with%20complexity%20rules%20%3C%2FA%3E%20%2C%20and%20the%20%3CA%20href%3D%22https%3A%2F%2Fpages.nist.gov%2F800-63-3%2Fsp800-63b.html%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3E%20latest%20NIST%20recommendations%20agree%20%3C%2FA%3E%20.)%3C%2FLI%3E%0A%20%20%20%3CLI%3EThey%20know%20that%20requiring%20users%20to%20change%20their%20passwords%20periodically%20leads%20to%20other%20predictable%20patterns.%20For%20instance%2C%20if%20users%20have%20to%20change%20their%20password%20every%20quarter%2C%20they%20frequently%20pick%20passwords%20based%20on%20sports%20teams%2C%20months%20or%20seasons%20and%20combine%20them%20with%20the%20current%20year.%3C%2FLI%3E%0A%20%20%3C%2FUL%3EThe%20fix%20to%20all%20of%20this%20is%20to%20apply%20a%20banned%20password%20system%20when%20users%20change%20their%20passwords%2C%20like%20Azure%20AD%20Password%20Protection.%20This%20is%20both%20the%20NIST%20recommendation%20and%20what%20we%20do%20in%20the%20cloud%20for%20Microsoft%20accounts%20and%20Azure%20AD%20accounts.%20Today's%20public%20preview%20gives%20you%20both%20the%20ability%20to%20do%20this%20in%20the%20cloud%20and%20on-premises%E2%80%94wherever%20your%20users%20change%20their%20passwords%E2%80%94and%20unprecedented%20configurability.%20All%20this%20functionality%20is%20powered%20by%20Azure%20AD%2C%20which%20regularly%20updates%20the%20databased%20of%20banned%20passwords%20by%20learning%20from%20billions%20of%20authentications%20and%20analysis%20of%20leaked%20credentials%20across%20the%20web.%20By%20checking%20all%20the%20password%20set%20or%20reset%20operations%20for%20your%20organization%2C%20password%20protection%20ensures%20that%20only%20passwords%20meeting%20your%2C%20and%20our%2C%20standards%20exist%20in%20your%20directory.%20Azure%20AD%20Password%20Protection%20also%20provides%20an%20integrated%20admin%20experience%20to%20control%20checks%20for%20passwords%20in%20your%20organization%2C%20in%20Azure%20and%20on-premises.%20%3CEM%3E%20Please%20note%3A%20Azure%20AD%20Premium%20Password%20Protection%20is%20an%20Azure%20AD%20Premium%201%20feature.%20%3C%2FEM%3E%3CH3%20id%3D%22toc-hId-697171180%22%20id%3D%22toc-hId-697171180%22%3ESmart%20Lockout%3C%2FH3%3ESmart%20lockout%20is%20our%20lockout%20system%20that%20uses%20cloud%20intelligence%20to%20lock%20out%20bad%20actors%20who%20are%20trying%20to%20guess%20your%20users'%20passwords.%20That%20intelligence%20can%20recognize%20sign-ins%20coming%20from%20valid%20users%20and%20treats%20those%20differently%20than%20ones%20that%20attackers%20and%20other%20unknown%20sources.%20This%20means%20smart%20lockout%20can%20lock%20out%20the%20attackers%20while%20letting%20your%20users%20continue%20to%20access%20their%20accounts%20and%20be%20productive.%20Smart%20lockout%20is%20always%20on%20for%20all%20Azure%20AD%20customers%20with%20default%20settings%20that%20offer%20the%20right%20mix%20of%20security%20and%20usability%2C%20but%20you%20can%20also%20customize%20those%20settings%20with%20the%20right%20values%20for%20your%20environment.%20With%20banned%20passwords%20and%20smart%20lockout%20together%2C%20Azure%20AD%20password%20protection%20ensures%20your%20users%20have%20hard%20to%20guess%20passwords%20and%20bad%20guys%20don't%20get%20enough%20guesses%20to%20break%20in.%20%3CEM%3E%20Please%20note%3A%20Azure%20AD%20Smart%20Lockout%20is%20included%20in%20all%20versions%20of%20Azure%20AD%20(including%20those%20versions%20in%20Office365).%20%3C%2FEM%3E%3CH2%20id%3D%22toc-hId--1658472276%22%20id%3D%22toc-hId--1658472276%22%3EGet%20started%20in%20three%20simple%20steps%3C%2FH2%3EBy%20default%2C%20all%20Azure%20AD%20password%20set%20and%20reset%20operations%20for%20Azure%20AD%20Premium%20users%20are%20configured%20to%20use%20Azure%20AD%20password%20protection.%20To%20configure%20a%20custom%20list%20of%20banned%20password%20strings%20for%20your%20organization%20and%20to%20configure%20Azure%20AD%20password%20protection%20for%20Windows%20Server%20Active%20Directory%2C%20follow%20the%20below%20simple%20steps%3A%3CH3%20id%3D%22toc-hId--112175446%22%20id%3D%22toc-hId--112175446%22%3EConfigure%20the%20password%20protection%20for%20your%20tenant%3C%2FH3%3E%0A%20%20%3CP%3EGo%20to%20Azure%20AD%20Active%20Directory%20%26gt%3B%20Security%20%26gt%3B%20Authentication%20Methods.%3C%2FP%3E%0A%20%20%3CP%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F46640i1E83E76C34C88FF0%22%20%2F%3E%3C%2FP%3E%0A%20%20%3CH3%20id%3D%22toc-hId-1630634889%22%20id%3D%22toc-hId-1630634889%22%3ECustomize%20your%20settings%3C%2FH3%3E%0A%20%20%3COL%3E%0A%20%20%20%3CLI%3ESet%20your%20custom%20smart%20lockout%20threshold%20(number%20of%20failures%20until%20the%20first%20lockout)%20and%20duration%20(how%20long%20the%20lockout%20period%20lasts)%3C%2FLI%3E%0A%20%20%20%3CLI%3EEnter%20the%20banned%20password%20strings%20for%20your%20organization%20in%20the%20textbox%20provided%20(one%20string%20per%20line)%20and%20turn%20on%20enforcement%20of%20your%20custom%20list%3C%2FLI%3E%0A%20%20%20%3CLI%3EExtend%20banned%20password%20protection%20to%20Windows%20Server%20Active%20Directory%20by%20enabling%20password%20protection%20in%20Active%20Directory.%20Start%20with%20the%20audit%20mode%2C%20which%20gives%20you%20the%20opportunity%20to%20evaluate%20the%20current%20state%20in%20your%20organization.%20Once%20an%20action%20plan%20is%20finalized%2C%20flip%20the%20mode%20to%20%3CSTRONG%3E%20Enforced%20%3C%2FSTRONG%3E%20to%20start%20protecting%20users%20by%20preventing%20any%20weak%20passwords%20being%20used.%3C%2FLI%3E%0A%20%20%3C%2FOL%3E%0A%20%20%3CP%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F46641i002C9ED9E1BD7D11%22%20%2F%3E%3C%2FP%3E%0A%20%20%3CH3%20id%3D%22toc-hId--921522072%22%20id%3D%22toc-hId--921522072%22%3EInstall%20the%20Azure%20AD%20password%20protection%20proxy%20and%20domain%20controller%20agents%20in%20your%20on-premises%20environment.%3C%2FH3%3E%0A%20%20%3CP%3EDownload%20the%20agents%20from%20the%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fdownloadaadpp%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%20download%20center%20%3C%2FA%3E%20and%20use%20the%20instructions%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fdeploypasswordprotection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%20password%20protection%20deployment%20guide%20%3C%2FA%3E%20.%20Both%20the%20domain%20controller%20agent%20and%20the%20proxy%20agent%20support%20silent%20installation%20which%20can%20be%20leveraged%20using%20various%20deployment%20mechanisms%20like%20SCCM.%3C%2FP%3EThat's%20it!%20You're%20now%20configured%20to%20use%20Azure%20AD%20password%20protection%20across%20Azure%20AD%20and%20on-premises.%20Take%20a%20read%20through%20our%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Faadpasswordprotectiondocs%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%20detailed%20documentation%20%3C%2FA%3E%20to%20learn%20more%20about%20this%20functionality.%20As%20always%2C%20we're%20eager%20to%20hear%20from%20you!%20Still%20have%20more%20questions%20for%20us%3F%20Email%20%3CA%20href%3D%22mailto%3Aaadppfeedback%40microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3E%20aadppfeedback%40microsoft.com%20%3C%2FA%3E%20or%20join%20us%20at%20the%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Faadama%2Finvite%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%20Ask%20Me%20Anything%20Session%20%3C%2FA%3E%20for%20Azure%20AD%20password%20protection.%20We%20look%20forward%20to%20hearing%20your%20feedback!%20Best%20regards%2C%20Alex%20Simons%20(Twitter%3A%20%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2FAlex_A_Simons%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3E%20%40Alex_A_Simons%20%3C%2FA%3E%20)%20Director%20of%20Program%20Management%20Microsoft%20Identity%20Division%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-245423%22%20slang%3D%22en-US%22%3EFirst%20published%20on%20CloudBlogs%20on%20Jun%2C%2019%202018%20Howdy%20folks%2C%20Many%20of%20you%20know%20that%20unfortunately%2C%20all%20it%20takes%20is%20one%20weak%20password%20for%20a%20hacker%20to%20get%20access%20to%20your%20corporate%20resources.%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-245423%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EProduct%20Announcements%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Version history
Last update:
‎Jul 24 2020 01:56 AM
Updated by: