%3CLINGO-SUB%20id%3D%22lingo-sub-401143%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-401143%22%20slang%3D%22en-US%22%3E%3CP%3ENice.%20I%20like%20that%20answer%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F160476%22%20target%3D%22_blank%22%3E%40Rohini%20Goyal%3C%2FA%3E.%20Thank%20you.%20I%20look%20forward%20to%20seeing%20how%20you%20do%20so.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-401064%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-401064%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F24874%22%20target%3D%22_blank%22%3E%40Michael%20Sampson%3C%2FA%3E%26nbsp%3B%20We%20can%20definitely%20do%20a%20better%20job%20addressing%20our%20licensing%20requirements%20in%20product%20rather%20than%20simply%20relying%20on%20documentation.%20Thanks%20for%20the%20feedback!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-401035%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-401035%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F97586%22%20target%3D%22_blank%22%3E%40Steven%20Bink%3C%2FA%3E%26nbsp%3BYes%2C%20the%20global%20list%20is%20used%20by%20default%20for%20all%20customers%2C%20without%20a%20given%20org%20having%20to%20do%20anything%20to%20the%20custom%20list.%20It%20is%20mentioned%20in%20Microsoft%20Docs.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-401034%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-401034%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F97586%22%20target%3D%22_blank%22%3E%40Steven%20Bink%3C%2FA%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%20that%20is%20correct.%26nbsp%3B%20The%20global%20banned%20list%20is%20always%20in%20effect%20for%20all%20supported%20scenarios.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-401032%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-401032%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F160476%22%20target%3D%22_blank%22%3E%40Rohini%20Goyal%3C%2FA%3E.%20That's%20an%20%22interesting%22%20design%20choice%20on%20Microsoft's%20side%20to%20allow%20a%20customer%20to%20use%20capability%20they%20are%20not%20licensed%20for%20(and%20to%20give%20no%20UI%20prompts%20%2F%20warnings)%2C%20and%20then%20to%20use%20the%20%22technically%20out%20of%20license%20compliance%22%20line.%20Why%20this%20choice%2C%20as%20opposed%20to%20trimming%20functionality%20to%20what%20the%20customer%20has%20licensed%20for%3F%20This%20is%20probably%20a%20MUCH%20larger%20discussion%20than%20just%20AD%20Password%20Protection%20though.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-401024%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-401024%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F160485%22%20target%3D%22_blank%22%3E%40Jay%20Simmons%3C%2FA%3E%26nbsp%3BIn%20the%20password%20protection%20portal%20it%20is%20no%20where%20mentioned%20that%20a%20Microsoft%20global%20ban%20list%20is%20included.%20Is%20this%20in%20use%20by%20default%2C%20even%20without%20enabling%20the%20custom%20ban%20list%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESteven%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-401002%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-401002%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F24874%22%20target%3D%22_blank%22%3E%40Michael%20Sampson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUsing%20Azure%20AD%20Password%20Protection%20does%20require%20having%20an%20Azure%20AD%20P1%20or%20P2%20license.%20Although%20Azure%20portal%20may%20allow%20you%20to%20access%20and%20configure%20the%20page%20without%20having%20a%20premium%20license%2C%20you%20will%20technically%20be%20out%20of%20license%20compliance.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-400611%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-400611%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Alex%2C%20banned%20password%20is%20a%20great%20feature.%20To%20the%20question%20of%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F313581%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3E%40CDubbs%3A%26nbsp%3B%3C%2FA%3Ealong%20with%20the%20recommendations%20of%20the%20password%20guidance%20it%20would%20make%20sense%20that%20common%20tokens%20are%20localized.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-394561%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-394561%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F271742%22%20target%3D%22_blank%22%3E%40HideyukiSekiya%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMFA%20support%20(for%20the%20Register-Proxy%20and%20Register-Forest)%20cmdlets%20was%20not%20available%20in%20the%20initial%20public%20preview%20release%20on%206%2F15%2F2018.%20%26nbsp%3B%26nbsp%3B%20MFA%20support%20was%20added%20in%20the%20first%20public%20preview%20update%20(version%201.2.10.0)%20on%208%2F17%2F2018%20-%20see%20the%20release%20description%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-password-ban-bad-on-premises-agent-versions%2312100%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E%20-%20and%20has%20been%20supported%20ever%20since.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20will%20also%20point%20out%20something%20that%20has%20changed%20from%20the%20earlier%20public%20preview%20days%3A%20the%20Register-Proxy%20and%20Register-Forest%20cmdlets%20each%20now%20support%20three%20different%20authentication%20%E2%80%9Cmodes%E2%80%9D%3A%20interactive%20(authentication%20dialog%20pops%20up)%2C%20device%20code%20(for%20UI-less%20platforms%20like%20Windows%20Server%20Core)%2C%20and%20silent%20(password-based).%20The%20first%20two%20will%20work%20fine%20with%20MFA-required%20accounts%2C%20the%20last%20one%20does%20not%20(but%20the%20last%20one%20is%20mainly%20intended%20for%20testing%20purposes%20anyway).%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ehth%2C%3C%2FP%3E%0A%3CP%3EJay%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-394413%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-394413%22%20slang%3D%22en-US%22%3EMFA%20was%20not%20supported%20when%20this%20feature%20was%20in%20public%20preview.%20How%20will%20MFA%20support%20change%20as%20this%20feature%20is%20made%20publicly%20available%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-394261%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-394261%22%20slang%3D%22en-US%22%3E%3CP%3EAlex%20-%20given%20the%20list%20of%20custom%20banned%20passwords%20is%20really%20a%20list%20of%20custom%20banned%20%3CSTRONG%3Ewords%3C%2FSTRONG%3E%20that%20can't%20be%20used%20in%20a%20password%20(subject%20to%20the%20complexity%20rule)%2C%20why%20is%20the%20section%20and%20field%20called%20what%20it%20is%3F%20%22Custom%20banned%20words%22%20and%20%22Custom%20banned%20word%20list%22%20would%20more%20accurately%20reflect%20the%20reality%2C%20IMO.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-394243%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-394243%22%20slang%3D%22en-US%22%3E%3CP%3EAlex%20(why%20can't%20I%20at%20mention%20your%20user%20name%3F)%20-%26nbsp%3BThe%20Docs%20page%20says%20that%20licensing%20is%20Azure%20AD%20P1%20or%20P2%20to%20use%20the%20custom%20banned%20list.%20I%20see%20the%20settings%20page%20in%20my%20Office%20365%20E3%20and%20Office%20365%20E5%20tenants%20(two%20separate%20ones)%2C%20and%20I%20can%20enter%20words%20in%20the%20list%20and%20save%20the%20list%2C%20although%20my%20two%20tenants%20don't%20have%20P1%20or%20P2.%20There's%20no%20warning%20that%20the%20words%20won't%20be%20enforced%20because%20of%20the%20lack%20of%20P1%20and%20P2.%20Is%20this%20expected%20behaviour%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-394035%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-394035%22%20slang%3D%22en-US%22%3E%3CP%3EHey%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F313581%22%20target%3D%22_blank%22%3E%40CDubbs%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20list%20does%20contain%20a%20few%20international%20words%20but%20majority%20the%20list%20is%20English%20common%20passwords%20and%20character%20patterns.%20The%20primary%20goal%20of%20the%20global%20banned%20password%20list%20is%20to%20protect%20all%20users%20from%20the%20most%20common%20passwords%20bad%20actors%20use%20during%20attacks.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-394034%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-394034%22%20slang%3D%22en-US%22%3E%3CP%3EHey%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F313581%22%20target%3D%22_blank%22%3E%40CDubbs%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20list%20does%20contain%20a%20few%20international%20words%20but%20majority%20the%20list%20is%20English%20common%20passwords%20and%20character%20patterns.%20The%20primary%20goal%20of%20the%20global%20banned%20password%20list%20is%20to%20protect%20all%20users%20from%20the%20most%20common%20passwords%20bad%20actors%20use%20during%20attacks.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-394020%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-394020%22%20slang%3D%22en-US%22%3EHey%20Alex.%20Is%20the%20word%20list%20you're%20using%20international%2C%20or%20is%20this%20currently%20configured%20for%20American%20English%20common%20passwords%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-393881%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-393881%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F160485%22%20target%3D%22_blank%22%3E%40Jay%20Simmons%3C%2FA%3E%26nbsp%3BThanks%20for%20the%20reply%2C%20I%20just%20noticed%20that%20in%20the%20document%20and%20changed%20my%20comment%2C%20but%20you%20were%20quicker%20lol.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-393879%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-393879%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F160476%22%20target%3D%22_blank%22%3E%40Rohini%20Goyal%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20reply!%20I%20also%20am%20no%20fan%20of%20security%20theater...I'd%20put%20frequent%20password%20expiration%20(anything%20%26lt%3B120%20days)%20highest%20on%20that%20list.%20However%2C%20we%20also%20have%20to%20make%20regulators%20and%20auditors%20happy%2C%20and%20I%20was%20hoping%20to%20kill%20two%20birds%20with%20one%20stone%20here.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20understand%20the%20primary%20purpose%20of%20this%20tool%20is%20block%20password%20spray%20attacks%2C%20but%20I%20would%20urge%20you%20to%20consider%20letting%20us%20play%20with%20the%20required%20points%20score.%20This%20is%20because%20many%20of%20us%20are%20interested%20in%20applying%20the%20latest%20NIST%20guidance%20to%20drop%20complexity%20requirements%20and%20periodic%20expiration%2C%20%3CEM%3Eprovided%3C%2FEM%3E%20we%20can%20also%20tweak%20the%20length%20requirements%20and%20block%20against%20a%20banned%20password%20list.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20solution%20is%20getting%20us%20soooo%20very%20close%20to%20that%20point%2C%20I%20think%20giving%20us%20the%20ability%20to%20tweak%20the%20score%20would%20just%20make%20this%20product%20so%20much%20more%20valuable.%20And%20to%20be%20clear%2C%20I'm%20not%20looking%20to%20plug%20anything%20ridiculous%20like%2020%2C%20just%20bumping%20it%20up%20to%207%20or%208%20would%20make%20it%20perfect.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFingers%20crossed!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECarlos%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-393870%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-393870%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F282608%22%20target%3D%22_blank%22%3E%40lance1978%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20custom%20banned%20password%20list%20supports%201000%20tokens.%20%26nbsp%3BPlease%20see%20%3CA%20href%3D%22%2520%20https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-password-ban-bad-configure%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%20link%3C%2FA%3E%20in%20the%20docs.%20%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENote%20that%20you%20may%20want%20to%20also%20review%20the%20algorithm%20details%20which%20are%20documented%20on%20%3CA%20href%3D%22%2520%20https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-password-ban-bad%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%20page%3C%2FA%3E.%20%26nbsp%3B%20If%20overall%20size%20of%20the%20list%20is%20a%20concern%2C%20you%20don't%20want%20to%20waste%20entries%20in%20your%20custom%20banned%20password%20list%20by%20adding%20tokens%20which%20are%20highly%20duplicative%20or%20overlapping.%20%26nbsp%3B%20Understanding%20the%20algorithm%20details%20makes%20it%20possible%20to%20better%20leverage%20the%26nbsp%3B%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3Ecustom%20banned%20password%20list%20%3C%2FSPAN%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ehth%2C%3C%2FP%3E%0A%3CP%3EJay%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-393865%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-393865%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F205276%22%20target%3D%22_blank%22%3E%40Bjarne%20Abraham%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20DC%20agent%20installer%20has%20supported%20in-place%20upgrade%20for%20quite%20awhile.%20%26nbsp%3B%20If%20you%20already%20have%20an%20earlier%20version%20installed%2C%20just%20run%20the%20GA%20DC%20agent%20installer%20over%20the%20top%20of%20the%20older%20one%20-%20it%20will%20still%20require%20one%20reboot%2C%20but%20not%20two.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EJay%3C%2FP%3E%0A%3CDIV%20class%3D%22lia-message-author-rank%20lia-component-author-rank%20lia-component-message-view-widget-author-rank%22%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20display%3A%20inline-block%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20overflow%3A%20hidden%3B%20padding-top%3A%2010px%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-overflow%3A%20ellipsis%3B%20text-transform%3A%20none%3B%20vertical-align%3A%20top%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20nowrap%3B%20word-spacing%3A%200px%3B%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-393858%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-393858%22%20slang%3D%22en-US%22%3E%3CP%3EThumbs%20UP!%26nbsp%3B%20It's%20a%20good%20start.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-393716%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-393716%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Alex%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20stated%20that%20%22%3CEM%3EPreview%20customers%20MUST%20update%20the%20agents%20to%20the%20latest%20version%20(1.2.116.0%20or%20higher)%20immediately.%22%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAccording%20to%20the%20installation%20guide%2C%20then%20the%20domain%20controllers%20must%20be%20rebooted%20when%20the%20agent%20is%20installed.%20But%20will%20the%20GA%20build%20autodetect%20the%20old%20client%20and%20update%20it%20or%20do%20we%20need%20to%20uninstall%2C%20reboot%2C%20install%20and%20reboot%20before%20we%20are%20able%20to%20use%20the%20GA%20version%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-393309%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-393309%22%20slang%3D%22en-US%22%3E%3CP%3EWhy%20keep%20wasting%20time%20on%20tackling%20a%20symptom%20or%20the%20problem%2C%20when%20the%20actual%20problem%20is%20the%20existence%20of%20passwords%20in%20the%20first%20place...get%20rid%20of%20them.%20I%20should%20not%20have%20to%20remember%20any%20passwords.%20I%20want%20to%20go%20password-less.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20amount%20of%20total%20time%20wasted%20by%20everyone%20writing%20down%20username%2Fpassword%20site%20combinations%20in%20a%20password%20manager%2C%20excel%20file%2C%20or%20whatever%20is%20getting%20pretty%20ridiculous%20and%20the%20fact%20that%20we%20are%20still%20doing%20this%20and%20losing%20billions%20to%20this%20type%20of%20fraud%20in%202019%20baffles%20me.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMS%2FGoogle%2FApple%20and%20the%20rest%20need%20to%20start%20an%20industry%20push%20to%20support%20FIDO%20U2F%20with%20hardware%20wallets%20(i.e.%20a%20Ledger%20or%20equivalent)%20and%20blockchain.%20I%20should%20be%20able%20to%20have%20something%20on%20my%20keyring%20and%20be%20able%20to%20login%20to%20any%20computer%20or%20website%20without%20ever%20needing%20to%20remember%20my%20password.%20I%20should%20be%20able%20to%20use%20a%20single%20token%20for%20ALL%20my%20logins.%20I'm%20pretty%20sure%20you%20can%20have%20fingerprint%2FPIN%20on%20top%20and%20just%20invalidate%20the%20token%20if%20it%20is%20ever%20lost%20or%20stolen%20(and%20keep%20the%20seed%20restore%20password%20somewhere%20safe%20like%20a%20safe).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20think%20there's%20a%20Windows%2010%20login%20app%20that%20technically%20allows%20you%20to%20login%20password-less%20but%20it's%20only%20in%20beta.%20But%20we%20need%20all%20the%20large%20IT%20companies%20to%20support%20password-less%20FIDO%20U2F%20as%20an%20OPTION%20so%20at%20least%20it's%20there%20for%20the%20security%20conscious%20that%20want%20to%20use%20it.%20Banks%20are%20ironically%20the%20worst%20at%20this%2C%20most%20only%20send%20OTP%20via%20SMS...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-393244%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-393244%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Craig%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20is%20something%20that%20has%20been%20brought%20to%20our%20attention%20a%20few%20times.%20Staff%20members%20tend%20to%20have%20access%20to%20more%20privileged%20information%20and%20should%20absolutely%20have%20strong%20account%20security%2C%20but%20it's%20harder%20for%20younger%20students%20to%20configure%20complex%20passwords.%20However%2C%20gaining%20access%20to%20a%20student%20account%20can%20be%20just%20as%20bad%2C%20which%20is%20why%20we%20don't%20recommend%20having%20separate%20policies%20for%20different%20user%20groups.%20That%20said%2C%20we%20would%20love%20to%20hear%20more%20about%20your%20scenario%2C%20and%20if%20you're%20looking%20to%20discuss%20this%20further%2C%20please%20reach%20out%20to%20aadppfeedback%40microsoft.com.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20your%20staff%20members%20are%20admins%20on%20the%20tenant%20and%20you%20would%20like%20to%20add%20an%20extra%20level%20of%20security%20for%20them%2C%20I%20would%20recommend%20enabling%20Baseline%20Protection%3A%20Require%20MFA%20for%20Admins%20(more%20information%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fbaseline-protection%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E).%20This%20will%20require%20MFA%20for%20your%20tenant%20administrators%20(or%20staff%20members)%20alongside%20having%20a%20strong%20password%20with%20Password%20Protection.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-393217%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-393217%22%20slang%3D%22en-US%22%3E%3CP%3EAny%20suggestion%20for%20us.%20We're%20a%20school%20district.%20We%20have%20two%20distinct%20users.%20Staff%20and%20Students.%20Staff%20need%20strong%20passwords%20(and%20MFA).%20Students%20need%20simpler%20passwords%20without%20MFA.%20Any%20suggestions%20or%20possibility%20to%20have%20this%20feature%20offer%20differentiated%20support%20for%20our%20different%20user%20groups.%20Simplest%20would%20be%20to%20exclude%20students%20from%20Password%20Protection%20-%20but%20I%20can't.%20It's%20all%20or%20nothing.%20Next%20best%20might%20be%20to%20set%20a%20different%20'score'%20for%20the%20user%20groups.%3C%2FP%3E%3CP%3Ethanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-393198%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-393198%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20Carlos%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EGreat%20Questions!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELet%20me%20start%20by%20saying%20-%20this%20feature%20is%20really%20all%20about%20preventing%20password%20guessing.%20Attacks%20like%20phishing%2C%20keystroke%20logging%2C%20and%20third%20party%20breach%20are%20really%20password%20independent%2C%20and%20database%20breaking%20(e.g.%20getting%20an%20offline%20copy%20of%20the%20data%20for%20brute%20forcing)%20is%20a%20completely%20different%20sort%20of%20threat.%20So%20focusing%20now%20on%20password%20guessing%20-%20most%20of%20this%20is%20done%20today%20via%20low-and-slow%20attacks%20across%20multiple%20customers%20and%20tens%20of%20thousands%20of%20accounts%2C%20but%20using%20only%20a%20few%20passwords%20(we%20typically%20detect%20and%20shut%20down%20the%20attack%20very%20quickly%2C%20and%20rate%20limiting%20and%20lockout%20technologies%20provide%20further%20friction%20to%20attackers).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESo%3A%20we%20are%20trying%20to%20keep%20your%20users%20from%20having%20passwords%20that%20can%20be%20guessed.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%5BCan%20you%20change%20%23%20of%20points%20required%5D%20We%20have%20looked%20at%20it%2C%20but%20our%20focus%20right%20now%20is%20ensuring%20that%20the%20algorithm%20we%20use%20defeats%20*all*%20guessing%20attacks%20as%20described%20above.%20We%20have%20been%20working%20with%20the%20red%20teams%20of%20some%20great%20preview%20customers%20to%20help%20us%20get%20this%20right.%20Rather%20than%20asking%20you%20to%20tweak%20the%20algo%2C%20we%20want%20to%20just%20do%20it%20right.%20If%20the%20current%20thresholds%20aren't%20doing%20the%20trick%2C%20we'd%20rather%20make%20it%20stronger%20for%20*everyone*%20(without%20adding%20friction%20just%20for%20%22security%20theater%22).%20We%E2%80%99ve%20updated%20the%20global%20banned%20password%20list%20and%20the%20banned%20password%20algorithm%20many%20times%20during%20the%20course%20of%20public%20preview.%20These%20changes%20will%20help%20expand%20the%20set%20of%20passwords%20being%20blocked.%20But%20if%20you%20are%20finding%20that%20there%20are%20patterns%2Fguesses%20that%20the%20current%20algo%20isn't%20blocking%2C%20we%20would%20LOVE%20for%20you%20to%20reach%20out%20to%20us%20here%20or%20DM%20our%20GPM%20Alex%20Weinert%20on%20Twitter%20(%40alex_t_weinert)%20%2C%20so%20that%20we%20can%20tune%20it%20further.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%20start%3D%222%22%3E%0A%3CLI%3E%5BHow%20does%20it%20work%3F%5D%20In%20a%20nutshell%2C%20what%20we%20are%20doing%20is%20analyzing%20our%20current%20attackers'%20patterns%20and%20maintaining%20a%20shorter%20(~2000%20word)%20base%20banned%20word%20list.%20From%20there%2C%20we%20normalize%20for%20case%20and%20common%20substitutions%20(so%20%22P%40%24%24w0rD%22%20becomes%20%22password%22)%20and%20ban%20all%20of%20those%20permutations.%20Any%20matches%20here%20are%20collapsed%20for%20point%20value%2C%20so%20while%20you%20can%20use%20a%20string%20like%20password%20or%20123%20in%20a%20password%2C%20there%20has%20to%20be%20enough%20entropy%20around%20it%20to%20make%20it%20a%20valid%20password%2C%20e.g.%20%22123asd*%25spasswordV%24%22%20would%20be%20allowed.%20The%20algorithm%20is%20fully%20outlined%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-password-ban-bad%23global-banned-password-list%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%20We%20don%E2%80%99t%20need%20to%20have%20every%20single%20weak%20password%20combination%20in%20the%20global%20list%20because%20the%20algorithm%20will%20take%20care%20of%20that%20for%20us.%20Additionally%2C%20blocking%20all%20passwords%20previously%20seen%20for%20any%20user%20is%20problematic%20%E2%80%93%20users%20will%20get%20frustrated%20coming%20up%20with%20a%20password%20no-one%20else%20has%20every%20thought%20of.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBroadly%2C%20I%20think%20that%20excessively%20strict%20rules%20do%20harm%2C%20not%20good%20-%20you%20are%20forcing%20people%20to%20rely%20on%20cut%20and%20paste%2C%20killing%20usability%2C%20etc.%20What%20we%20really%20need%20is%20client%20device%20bound%20credentials%20which%20use%20PKI%20to%20transmit%20non-replayable%2C%20cryptographically%20strong%20nonces%20for%20login%20and%20break%20the%20back%20of%20all%20of%20these%20password%20vulnerabilities%20(FIDO2!)%20-%20in%20the%20meantime%2C%20we%20want%20to%20prevent%20password%20guessing%20without%20generating%20unnecessary%20user%20friction.%20Check%20out%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fpasswordguidance%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2Fpasswordguidance%3C%2FA%3E%20for%20the%20studies%20that%20back%20this.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3ERohini%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-393171%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-393171%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20a%20fantastic%20solution%20and%20will%20really%20help%20customers%20to%20enforce%20stronger%20passwords%2C%20until%20the%20day%20we%20can%20completely%20remove%20passwords%20%3B)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-393137%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-393137%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F53477%22%20target%3D%22_blank%22%3E%40Alex%20Simons%20(AZURE)%3C%2FA%3E%2C%20congrats%20on%20this%20going%20GA!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETwo%20questions%3A%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20%3CEM%3EWill%20we%20ever%20be%20able%20to%20play%20with%20the%20weak%20password%20cutoff%20and%20set%20a%20value%20higher%20than%205%20points%3F%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20really%20like%20to%20set%20something%20higher%20and%20align%20with%20the%20on-prem%20password%20length%20policy.%20I%20can't%20wait%20to%20turn%20off%20password%20complexity%2C%20but%20I%20don't%20feel%20comfortable%20doing%20that%20unless%20I%20can%20also%20make%20AAD%20Password%20Protection%20a%20bit%20stricter%20on%20password%20strength.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20think%20the%20latest%20guidance%20(at%20least%20from%20NIST)%20is%20telling%20us%20to%20focus%20on%20length%20and%20ignore%20complexity%2C%20but%20the%20third%20leg%20of%20the%20stool%20NIST%20talks%20about%20is%20checking%20against%20a%20banned%20password%20list.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.%20%3CEM%3EWill%20we%20be%20able%20to%20get%20more%20color%20on%20the%20global%20banned%20password%20list%3F%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20it%20seems%20a%20lot%20of%20other%20people%20do%20is%20pull%20in%20the%20HIBP%20list%20(like%20on%20Github!)%2C%20which%20we%20know%20has%20hundreds%20of%20millions%20of%20password%20hashes%20to%20check%20against.%20Clearly%20you're%20doing%20something%20quite%20different%20for%20the%20global%20banned%20password%20list%2C%20because%20instead%20of%20dropping%2010GB%20of%20hashes%20on%20my%20SYSVOL%20share%2C%20I%20only%20see%20100KB%20of%20data%20in%20the%20PasswordPolicies%20folder.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20would%20be%20really%20helpful%20if%20we%20can%20get%20some%20color%20on%20what's%20happening%20under%20the%20hood.%20I%20understand%20you%20can't%20share%20any%20content%20of%20the%20lists%2C%20and%20clearly%20the%20normalizing%20technique%20dramatically%20reduces%20the%20data%20you%20need%20to%20look%20at%20vs%20password%20hashes%20which%20need%20to%20have%20every%20possible%20variation.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20basically%2C%20can%20you%20tell%20us%20a%20bit%20more%20than%20this%3F%20(from%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-password-ban-bad%23global-banned-password-list%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-password-ban-bad%23global-banned-password-list%3C%2FA%3E)%3C%2FP%3E%3CUL%3E%3CLI%3E%3CEM%3ETherefore%20the%20Azure%20AD%20Identity%20Protection%20team%20continually%20look%20for%20commonly%20used%20and%20compromised%20passwords.%20They%20then%20block%20those%20passwords%20that%20are%20deemed%20too%20common%20in%20what%20is%20called%20the%20global%20banned%20password%20list.%26nbsp%3B%3C%2FEM%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20again!%20We%20have%20been%20waiting%20for%20this%20to%20go%20GA%20for%20a%20while...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-417401%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-417401%22%20slang%3D%22en-US%22%3E%3CP%3EAny%20idea%20what%20are%20these%20Forest%20Entropy%20objects%20in%20our%20config%20partition%3F%20These%20objects%20were%20not%20there%20after%20initial%20deployment.%20They%20showed%20up%20after%20we%20installed%20DC%20Agents%20to%20large%20number%20of%20domain%20controllers.%20Anybody%20else%20seeing%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20434px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F106375iC8D119017E6B51F9%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Capture.PNG%22%20title%3D%22Capture.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-417527%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-417527%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F160485%22%20target%3D%22_blank%22%3E%40Jay%20Simmons%3C%2FA%3E%26nbsp%3BCan%20current%20passwords%20be%20assessed%3F%20Microsoft%20now%20suggest%20to%20not%20expire%20passwords%2C%20so%20would%20be%20nice%20if%20these%20passwords%20can%20be%20checked%20with%20current%20banned%20lists.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESteven%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-418635%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-418635%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Steven%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPasswords%20are%20only%20assessed%20when%20a%20user%20changes%20or%20resets%20their%20password.%20Current%20passwords%20aren't%20assessed%20as%20of%20today%2C%20but%20we're%20looking%20into%20expanding%20Password%20Protection%20so%20that%20current%20passwords%20are%20checked%20as%20well.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-448869%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-448869%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20unable%20to%20make%20any%20changes%20to%20Password%20Protection%20Settings%20-%20they%20are%20greyed%20out.%20I'm%20logged%20in%20as%20a%20Global%20Admin.%20We%20are%20a%20non-profit%20using%20Azure%20to%20Sync%20Office%20365%20with%20AD.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20Ideas%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-455933%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-455933%22%20slang%3D%22en-US%22%3E%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%3B%22%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58809%22%20target%3D%22_blank%22%3E%40Brajesh%20Panda%3C%2FA%3E%20%2C%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%3B%22%3EThe%20presence%20of%20multiple%20Forest%20Entropy%20objects%20looks%20like%20a%20minor%20but%20fairly%20benign%20bug%20-%20thanks%20for%20reporting%20this.%20%26nbsp%3B%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EThese%20objects%20are%20used%20to%20contain%20a%20random%3C%2FSPAN%3E%20piece%20of%20entropy%20that%20is%20used%20by%20all%20of%20the%20DC%20agents%20across%20the%20forest.%26nbsp%3B%20If%20you%20installed%20multiple%20DC%20agents%20around%20the%20same%20time%2C%20the%20possibility%20does%20exist%20that%20multiple%20of%20these%20would%20get%20created%3B%26nbsp%3B%20the%20bug%20is%20that%20we%20don't%20auto-delete%20the%20extra%20ones.%26nbsp%3B%20For%20now%2C%20please%20feel%20free%20to%20manually%20delete%20all%20but%20one%20of%20them.%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%3B%22%3Ethx%2C%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%3B%22%3EJay%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-460251%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-460251%22%20slang%3D%22en-US%22%3EHi%2C%20is%20there%20any%20reason%20to%20go%20for%20the%20Windows%20Server%20Active%20Directory%20integration%20if%20Password%20Hash%20Syncronisation%20and%20Password%20Writeback%20is%20enabled%20and%20users%20are%20mainly%20changing%20their%20password%20in%20Azure%3F%20When%20changing%20the%20password%20in%20Azure%2C%20both%20the%20on-premise%20password%20policy%20(thanks%20to%20Password%20Writeback)%20and%20the%20Password%20Protection%20algorithm%20will%20be%20used%2C%20am%20I%20right%3F%20Sebastian%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-462274%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-462274%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F320393%22%20target%3D%22_blank%22%3E%40meilrich%3C%2FA%3E%26nbsp%3BWhat%20license%20do%20you%20have%20for%20your%20tenant%3F%20Using%20Password%20Protection%20requires%20having%20a%20paid%20AAD%20or%20any%20equivalent%20license%20that%20grants%20you%20Azure%20AD%20P1.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-469033%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-469033%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F160476%22%20target%3D%22_blank%22%3E%40Rohini%20Goyal%3C%2FA%3E%26nbsp%3Bwe're%20using%20Azure%20AD%20Connect%20to%20sync%20with%20our%20office%20365%20account.%20We%20have%20non-profit%20subscriptions%2C%20so%20my%20guess%20is%20this%20not%20available%20to%20us.%20Too%20bad!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-469220%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-469220%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F320393%22%20target%3D%22_blank%22%3E%40meilrich%3C%2FA%3E%26nbsp%3BIf%20Azure%20AD%20Connect%20is%20pushing%20a%20password%20from%20Windows%20Server%20AD%20to%20Azure%20AD%2C%20then%20my%20sense%20would%20be%20the%20fundamental%20problem%20is%20not%20licensing%20(that's%20probably%20an%20issue%20too)%2C%20but%20rather%20Azure%20AD%20never%20assesses%20the%20password%20because%20that%20is%20set%20in%20Windows%20Server%20AD%20and%20then%20pushed%20%2F%20one-way%20synced%20to%20Azure%20AD.%20With%20the%20right%20licensing%20AND%20the%20installation%20of%20agents%20on%20Windows%20Server%20AD%2C%20the%20list%20of%20words%20in%20the%20banned%20passwords%20list%20can%20be%20checked%20first%20by%20Windows%20Server%20AD%2C%20and%20then%20synced%20up%20to%20Azure%20AD.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20look%20forward%20to%20hearing%20the%20authoritative%20answer%20from%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F160476%22%20target%3D%22_blank%22%3E%40Rohini%20Goyal%3C%2FA%3E%26nbsp%3Bthough.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-486120%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-486120%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EI%20have%20an%20issue%20with%20Azure%20Password%20Protection.%20In%20fact%2C%20the%20proxy%20service%20is%20showing%20the%20event%2010005.%20%22System.Net.WebException%3A%20Cannot%20connect%20to%20the%20remote%20server%20----%26gt%3B%20System.Net.Sockets.SocketException%3A%20No%20connection%20established%20with%20the%20target%20computer%20.....%2020.190.129.2%3A443%3C%2FP%3E%3CP%3ESystem.Net.Socket.Socket.EndConnect(IAsyncResult%20asyncResult)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20Sysvol%20the%20Azure%20Password%20Protection%20folders%20still%20Empty%20!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20Help%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-486142%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-486142%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F328260%22%20target%3D%22_blank%22%3E%40MaherRiahi%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20are%20running%20the%20AADPP%20proxy%20server%20behind%20a%20firewall%2C%20please%20make%20sure%20the%20appropriate%20ports%20and%20names%20are%20opened%20up.%26nbsp%3B%20%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EAlso%2C%20please%20make%20sure%20TLS%201.2%20is%20supported%20between%20the%20AADPP%20proxy%20server%20and%20the%20outside%20network%20-%20that%20is%20another%20cause%20of%20this%20issue.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EJay%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-486228%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-486228%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20is%20great%20to%20see%20Microsoft%20finally%20implement%20a%20password%20filter%20for%20AD.%26nbsp%3B%20I%20have%20enabled%20the%20feature%20in%20a%20test%20tenant%20and%20a%20test%20On%20Prem%20Domain%20Controller%2C%20it%20was%20fairly%20straightforward%20to%20do%20as%20the%20documentation%20is%20comprehensive%20and%20easy%20to%20follow.%3C%2FP%3E%3CP%3EIt%20would%20be%20good%20to%20see%20the%20feature%20extended%20to%20include%20the%20ability%20to%20define%20the%20character%20set%20that%20constitutes%20Complex%20Passwords.%26nbsp%3B%20I've%20seen%20that%20requested%20a%20number%20of%20times%20over%20the%20years%20and%20indeed%20implemented%203rd%20party%20products%20to%20allow%20that.%3C%2FP%3E%3CP%3EGreat%20work!%20(although%20I%20do%20also%20agree%20with%20the%20contributor%20saying%20that%20we%20should%20be%20moving%20away%20from%20passwords%20now%2C%20but%20that%20will%20still%20take%20more%20time...)%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-486658%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-486658%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F33663%22%20target%3D%22_blank%22%3E%40Alastair%20Cain%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%20for%20the%20feedback.%20We'll%20take%20this%20into%20account%20for%20future%20updates%20to%20Password%20Protection.%20We're%20glad%20you're%20using%20Password%20Protection%20and%20found%20that%20the%20documentation%20was%20easy%20follow.%20That%20said%2C%20if%20you%20have%20any%20suggestions%20or%20pointers%20we%20should%20add%20to%20the%20documentation%20to%20make%20it%20easier%20to%20deploy%2C%20let%20us%20know!%20We're%20always%20looking%20for%20ways%20to%20improve%20%3A)%3C%2Fimg%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-502519%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-502519%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3Eone%20question%20relating%20to%20the%20normalization%20applied%20during%20the%20password%20normalization%20and%20its%20documentation%20at%20%5B1%5D%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20documentation%20mentions%20that%20%221%22%20will%20be%20substituted%20with%20%22l%22%20(lower%20case%20L%2C%20step%201).%20In%20the%20consecutive%20steps%2C%20the%20digit%201%20is%20not%20substituted%20by%20a%20lower%20case%20L%20and%20in%20the%20case%20of%20the%20password%20%22%3CSPAN%3EC0ntos0Blank12%3C%2FSPAN%3E%22%2C%20normalized%20to%20%22%3CSPAN%3Econtosoblank12%22%20is%20counted%20towards%20the%20score%20of%20a%20password.%20Should%20this%20not%20be%20normalized%20to%20%22CONTOSOBLANKL2%22%20(just%20for%20illustration%20in%20uppercase)%3F%20While%20this%20example%20is%20still%20rejected%2C%20other%20password%20examples%20might%20lead%20to%20different%20outcomes%20if%20the%201%2FL%20makes%20a%20difference%20between%20a%20score%20of%204%20or%205...%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20also%20cross-posted%20this%20on%20the%20documentation%20feedback%20%2F%20issue%20tracker%20%5B2%5D%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%5B1%5D%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-password-ban-bad%23how-are-passwords-evaluated%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-password-ban-bad%23how-are-passwords-evaluated%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%5B2%5D%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fissues%2F30326%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fissues%2F30326%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-503239%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-503239%22%20slang%3D%22en-US%22%3E%3CP%3EGreat!%3C%2FP%3E%3CP%3EI%20was%20using%20it%20but%20I%20didn't%20Know%20that%20I%20would%20need%20to%20install%20an%20agent.%20Now%20I%20know%20why%20I%20was%20stucked%20and%20thing%20that%20wasn't%20working%20properly.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-548042%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-548042%22%20slang%3D%22en-US%22%3E%3CP%3ENIST%20800-53%2C%20Control%20IA-5%20(1)(b)%20states%20we%20need%20to%20enforce%20a%20minimum%20number%20of%20character%20changes%20when%20passwords%20are%20created.%20This%20can%20be%20done%20on-prem%20with%20password%20filters%2C%20but%20how%20would%20we%20comply%20with%20this%20requirement%20in%20Azure%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-377487%22%20slang%3D%22en-US%22%3EAzure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-377487%22%20slang%3D%22en-US%22%3E%3CP%3EHowdy%20folks!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMany%20of%20you%20have%20already%20been%20using%20Azure%20AD%20Password%20Protection%20in%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory-Identity%2FAzure-AD-Password-Protection-and-Smart-Lockout-are-now-in-Public%2Fba-p%2F245423%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Epublic%20preview%3C%2FA%3E.%20Azure%20AD%20Password%20Protection%20allows%20you%20to%20eliminate%20easily%20guessed%20passwords%20and%20customize%20lockout%20settings%20for%20your%20environment.%20Using%20it%20can%20significantly%20lower%20the%20risk%20of%20compromise%20by%20a%20%3CA%20href%3D%22https%3A%2F%2Fmyignite.techcommunity.microsoft.com%2Fsessions%2F64568%3Fsource%3DTechCommunity%23ignite-html-anchor%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Epassword%20spray%20attack%3C%2FA%3E.%20Best%20part%2C%20it%E2%80%99s%20available%20for%20both%20cloud%20and%20hybrid%20environments.%20We%E2%80%99d%20like%20to%20thank%20all%20the%20customers%20who%20have%20tried%20the%20preview%20and%20provided%20us%20valuable%20feedback.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EToday%2C%20I%E2%80%99m%20excited%20to%20announce%20this%20feature%20is%20now%20generally%20available!%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20help%20users%20avoid%20choosing%20weak%20and%20vulnerable%20passwords%2C%20we%20updated%20the%20banned%20password%20algorithm.%20Using%20the%20global%20banned%20password%20list%20that%20Microsoft%20updates%20and%20the%20custom%20list%20you%20define%2C%20Azure%20AD%20Password%20Protection%20now%20blocks%20a%20wider%20range%20of%20easily%20guessable%20passwords.%3C%2FP%3E%0A%3CP%3ERead%20our%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-password-ban-bad%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Edetailed%20documentation%3C%2FA%3E%20to%20learn%20more%20about%20how%20password%20strength%20is%20evaluated%20and%20how%20Azure%20AD%20Password%20Protection%20can%20help%20block%20weak%20passwords%20in%20your%20organization.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1505387640%22%20id%3D%22toc-hId-1505387640%22%20id%3D%22toc-hId-1505387640%22%20id%3D%22toc-hId-1505387640%22%20id%3D%22toc-hId-1505387640%22%20id%3D%22toc-hId-1505387640%22%20id%3D%22toc-hId-1505387640%22%20id%3D%22toc-hId-1505387640%22%3EGetting%20started%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAzure%20AD%20Password%20Protection%20can%20easily%20be%20configured%20from%20the%20Azure%20AD%20portal.%20First%2C%20sign-in%20to%20%3CA%20href%3D%22http%3A%2F%2Fportal.azure.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Portal%3C%2FA%3E%20with%20a%20global%20administrator%20account.%20Next%2C%20navigate%20to%20the%20%3CSTRONG%3EAzure%20Active%20Directory%3C%2FSTRONG%3E%20and%20then%20to%20the%20%3CSTRONG%3EAuthentication%20methods%20%3C%2FSTRONG%3Eblade%2C%20where%20you%E2%80%99ll%20see%20%3CSTRONG%3EPassword%20protection%3C%2FSTRONG%3E%2C%20as%20shown%20below%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F93930iE71A5E2454227A56%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Azure%20AD%20Password%20protection%201.jpg%22%20title%3D%22Azure%20AD%20Password%20protection%201.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--1046769321%22%20id%3D%22toc-hId--1046769321%22%20id%3D%22toc-hId--1046769321%22%20id%3D%22toc-hId--1046769321%22%20id%3D%22toc-hId--1046769321%22%20id%3D%22toc-hId--1046769321%22%20id%3D%22toc-hId--1046769321%22%20id%3D%22toc-hId--1046769321%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20id%3D%22toc-hId-696041014%22%20id%3D%22toc-hId-696041014%22%20id%3D%22toc-hId-696041014%22%20id%3D%22toc-hId-696041014%22%20id%3D%22toc-hId-696041014%22%20id%3D%22toc-hId-696041014%22%20id%3D%22toc-hId-696041014%22%20id%3D%22toc-hId-696041014%22%3EConfigure%20Azure%20AD%20Password%20Protection%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3ECustomize%20your%20smart%20lockout%20threshold%20(number%20of%20failures%20until%20the%20first%20lockout)%20and%20duration%20(how%20long%20the%20lockout%20period%20lasts).%3C%2FLI%3E%0A%3CLI%3EEnter%20the%20banned%20password%20strings%20for%20your%20organization%20in%20the%20textbox%20provided%20(one%20string%20per%20line)%20and%20turn%20on%20enforcement%20of%20your%20custom%20list.%20We%20strongly%20recommend%20this%20for%20all%20customers%20that%20have%20multiple%20brands%20and%20products%20that%20their%20users%20identify%20with.%3C%2FLI%3E%0A%3CLI%3EExtend%20banned%20password%20protection%20to%20your%20Active%20Directory%20by%20enabling%20Password%20Protection%20for%20Windows%20Server%20Active%20Directory.%20Start%20with%20audit%20mode%2C%20which%20runs%20Password%20Protection%20in%20%E2%80%9Cwhat%20if%E2%80%9D%20mode.%20Once%20you%E2%80%99re%20ready%20for%20enforcing%20Password%20Protection%2C%20flip%20the%20mode%20to%26nbsp%3B%3CSTRONG%3EEnforced%26nbsp%3B%3C%2FSTRONG%3Eto%20start%20protecting%20users%20by%20preventing%20any%20weak%20passwords%20being%20used.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSTRONG%3E%3CEM%3ENote%3A%3C%2FEM%3E%3C%2FSTRONG%3E%3CEM%3E%20All%20synced%20users%20must%20be%20licensed%20to%20use%20Azure%20AD%20Password%20Protection%20for%20Windows%20Server%20Active%20Directory.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--1856115947%22%20id%3D%22toc-hId--1856115947%22%20id%3D%22toc-hId--1856115947%22%20id%3D%22toc-hId--1856115947%22%20id%3D%22toc-hId--1856115947%22%20id%3D%22toc-hId--1856115947%22%20id%3D%22toc-hId--1856115947%22%20id%3D%22toc-hId--1856115947%22%3EProtecting%20your%20on-premises%20environment%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20use%20Azure%20AD%20Password%20Protection%20on%20our%20Windows%20Server%20Active%20Directory%2C%20download%20the%20agents%20from%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fdownloadaadpp%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Edownload%20center%26nbsp%3B%3C%2FA%3Eand%20use%20the%20instructions%20in%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fdeploypasswordprotection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EPassword%20Protection%20deployment%20guide%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOnce%20a%20global%20administrator%20has%20enabled%20Password%20Protection%20for%20Windows%20Server%20Active%20Directory%2C%20security%20administrators%20can%20take%20it%20from%20there%20and%20complete%20the%20registration%20for%20both%20proxy%20agents%20and%20Active%20Directory%20forests.%20Both%20the%20domain%20controller%20agent%20and%20the%20proxy%20agent%20support%20silent%20installation%20that%20can%20be%20leveraged%20using%20various%20deployment%20mechanisms%20like%20SCCM.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CEM%3ENote%3A%20%3C%2FEM%3E%3C%2FSTRONG%3E%3CEM%3EPreview%20customers%20MUST%20update%20the%20agents%20to%20the%20latest%20version%20(%3C%2FEM%3E%3CEM%3E1.2.125.0%3C%2FEM%3E%26nbsp%3B%3CEM%3Eor%20higher)%20immediately.%20The%20current%20agents%20will%20stop%20working%20after%20July%201%2C%202019.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20always%2C%20we're%20eager%20to%20hear%20from%20you!%20Still%20have%20more%20questions%20for%20us%3F%20Email%26nbsp%3B%3CA%20href%3D%22mailto%3Aaadppfeedback%40microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eaadppfeedback%40microsoft.com%3C%2FA%3E.%20We%20look%20forward%20to%20hearing%20your%20feedback!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBest%20regards%2C%3C%2FP%3E%0A%3CP%3EAlex%20Simons%20(%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2FAlex_A_Simons%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%40Alex_A_Simons%3C%2FA%3E%26nbsp%3B)%3C%2FP%3E%0A%3CP%3ECorporate%20VP%20of%20Program%20Management%3C%2FP%3E%0A%3CP%3EMicrosoft%20Identity%20Division%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-377487%22%20slang%3D%22en-US%22%3E%3CP%3EAzure%20AD%20Password%20Protection%20allows%20you%20to%20eliminate%20easily%20guessed%20passwords%20and%20customize%20lockout%20settings%20for%20your%20environment%20and%20can%20significantly%20lower%20the%20risk%20of%20compromise%20by%20a%20password%20spray%20attack.%20Today%2C%20I%E2%80%99m%20excited%20to%20announce%20this%20feature%20is%20now%20generally%20available!%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F93929i88DA54F1E97BF6B9%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Azure%20AD%20Password%20protection%20teaser.jpg%22%20title%3D%22Azure%20AD%20Password%20protection%20teaser.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-377487%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EProduct%20Announcements%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-789529%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-789529%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnother%20question%3A%3C%2FP%3E%3CP%3EIs%20there%20a%20possibility%20to%20have%20a%20custom%20message%20for%20end%20users%20when%20they%20try%20use%20a%20password%20from%20the%20banned%20list%2C%20informing%20them%20of%20the%20reason%20why%20their%20password%20is%20not%20accepted%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-790558%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-790558%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F387826%22%20target%3D%22_blank%22%3E%40TomWillems%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECurrently%2C%20there%20is%20no%20ability%20to%20customize%20the%20error%20message%20for%20password%20strength.%20The%20custom%20and%20global%20list%20need%20to%20be%20kept%20secret%20to%20ensure%20it's%20not%20exposed%20to%20bad%20actors.%20We%20don't%20recommend%20having%20a%20custom%20message%20to%20the%20user%20that%20indicates%20their%20password%20is%20not%20strong%20enough%20due%20to%20a%20specific%20word%2Fphrase%20they%20are%20using.%20That%20inherently%20exposes%20the%20banned%20lists.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-792512%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-792512%22%20slang%3D%22en-US%22%3E%3CP%3EThx%20for%20the%20feedback%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F160476%22%20target%3D%22_blank%22%3E%40Rohini%20Goyal%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20understand%20the%20need%20to%20keep%20the%20banned%20password%20list%20secret%2C%20but%20I%20do%20not%20see%20how%20having%20a%20custom%20error%20message%20has%20any%20impact%20on%20this.%20If%20a%20malicious%20actor%20is%20capable%20of%20executing%20password%20changes%2C%20he%20would%20be%20able%20to%20determine%20the%20banned%20password%20list%20through%20trial%20and%20error%20whether%20there%20is%20a%20custom%20error%20message%20or%20not.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEven%20though%20we%20communicate%20our%20password%20policy%20to%20our%20end%20user%20population%20through%20a%20separate%20channel%2C%20it%20would%20be%20very%20helpful%20to%20offer%20some%20guidance%20at%20the%20time%20they%20are%20changing%20their%20password.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1001851%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1001851%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%20%26nbsp%3B%20I%20have%20two%20question%3F%20Many%20thanks%20if%20you%20have%20any%20idea.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%20%26nbsp%3B1)%26nbsp%3B%20Does%20the%20Azure%20Password%20Protection%20take%20effect%20to%20the%20on-prem%20AD%20users%20who%20haven't%20sync%20to%20AAD%3F%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%20%26nbsp%3B2)%20Is%20it%20possible%20to%20make%20exclusion%20on%20some%20users%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1002142%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Password%20Protection%20is%20now%20generally%20available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1002142%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F455190%22%20target%3D%22_blank%22%3E%40Harry_Li%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOnpremises%20AADPP%20currently%20validates%20passwords%20for%20all%20password%20change%20requests%20that%20it%20receives%2C%20and%20yes%20this%20does%20include%20non-sync'd%20users.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20do%20not%20currently%20support%20any%20way%20to%20exclude%20users%20from%20protection.%26nbsp%3B%20This%20is%20a%20capability%20that%20a%20few%20customers%20have%20asked%20for%20but%20it's%20not%20on%20the%20roadmap%20yet.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3EJay%3C%2FP%3E%3C%2FLINGO-BODY%3E

Howdy folks!

 

Many of you have already been using Azure AD Password Protection in public preview. Azure AD Password Protection allows you to eliminate easily guessed passwords and customize lockout settings for your environment. Using it can significantly lower the risk of compromise by a password spray attack. Best part, it’s available for both cloud and hybrid environments. We’d like to thank all the customers who have tried the preview and provided us valuable feedback.

 

Today, I’m excited to announce this feature is now generally available! 

 

To help users avoid choosing weak and vulnerable passwords, we updated the banned password algorithm. Using the global banned password list that Microsoft updates and the custom list you define, Azure AD Password Protection now blocks a wider range of easily guessable passwords.

Read our detailed documentation to learn more about how password strength is evaluated and how Azure AD Password Protection can help block weak passwords in your organization.

 

Getting started

 

Azure AD Password Protection can easily be configured from the Azure AD portal. First, sign-in to Azure Portal with a global administrator account. Next, navigate to the Azure Active Directory and then to the Authentication methods blade, where you’ll see Password protection, as shown below:

 

Azure AD Password protection 1.jpg

 

Configure Azure AD Password Protection

 

  1. Customize your smart lockout threshold (number of failures until the first lockout) and duration (how long the lockout period lasts).
  2. Enter the banned password strings for your organization in the textbox provided (one string per line) and turn on enforcement of your custom list. We strongly recommend this for all customers that have multiple brands and products that their users identify with.
  3. Extend banned password protection to your Active Directory by enabling Password Protection for Windows Server Active Directory. Start with audit mode, which runs Password Protection in “what if” mode. Once you’re ready for enforcing Password Protection, flip the mode to Enforced to start protecting users by preventing any weak passwords being used.

Note: All synced users must be licensed to use Azure AD Password Protection for Windows Server Active Directory.

 

Protecting your on-premises environment

 

To use Azure AD Password Protection on our Windows Server Active Directory, download the agents from the download center and use the instructions in the Password Protection deployment guide.

 

Once a global administrator has enabled Password Protection for Windows Server Active Directory, security administrators can take it from there and complete the registration for both proxy agents and Active Directory forests. Both the domain controller agent and the proxy agent support silent installation that can be leveraged using various deployment mechanisms like SCCM.

 

Note: Preview customers MUST update the agents to the latest version (1.2.125.0 or higher) immediately. The current agents will stop working after July 1, 2019.

 

As always, we're eager to hear from you! Still have more questions for us? Email aadppfeedback@microsoft.com. We look forward to hearing your feedback!

 

Best regards,

Alex Simons (@Alex_A_Simons )

Corporate VP of Program Management

Microsoft Identity Division

54 Comments
Senior Member
 

 

Yes it does. We are implimenting in a DEV forest and I'm making some notes what to look for as we walk through the setup. Thx!

Microsoft

Glad to hear that.

 

One quick note for anyone else who may be reviewing this blog post and still has questions.  We can also answer ad-hoc inquiries over email using the aadppfeedback@microsoft.com alias.  That option may be easier and more efficient than back-and-forth'ing in the comment section.   

 

Jay Simmons

Occasional Visitor

I have  a question on the requirements side of things.  Can this function operate with the use of a 3rd party AD synchronization tool?  I thought I read somewhere that the password protection has to have AD Connect (or whatever the flavor is at the current state).  Our security team is pushing to use Okta as the Directory sync product for our Hybrid environment.  Can I get a confirmation of what the specific requirements are in relation to the synchronization methods in regards to user/directory synchronization to support the password protection functions.

Microsoft

Hi @EricBender,

 

The onpremises behavior of Azure AD Password Protection does not have any dependency on which specific synchronization tool is being used.  So while I cannot recommend using Okta in your environment, it should not block or interfere with AADPP.

 

thx,

Jay