Hi everyone! It's been a long time, but Graeme Bray here with you to talk about an Azure Monitor workbook you can deploy in your environment to help you report on your Azure AD Password Protection. You are running AAD Password Protection, right? If you have Azure AD P1 or P2 for your users, you're licensed for it, and it extends the exact same password protection from Azure AD to your on-premises environment. That's great, because if a user tries to reset their password via Azure AD or via Active Directory, they have the same password requirements.
Either way, lets show you what kind of reporting you get.
- Azure AD Password Protection Proxy installed on 1 (or more, ideally) servers in your environment.
- An Azure Subscription with a Log Analytics Workspace
- Domain Controllers on DFS-R for Sysvol replication (this is done, right? If not, follow Ned's post here: Streamlined Migration of FRS to DFSR SYSVOL - Microsoft Community Hub)
- All Domain Controllers installed with Azure AD Password Protection agent
- Domain Controllers onboarded via Azure Arc (or forwarding specific event logs to Azure via another method).
- Azure AD Password Protection Proxy servers onboarded via Azure Arc (or forwarding specific event logs to Azure).
For this blog post, I'm assuming the following:
- You already have Azure AD Password Protection enabled. If you don't, follow the link below. I promise, it's a simple process to follow.
- More Details: Deploy on-premises Azure AD Password Protection - Microsoft Entra | Microsoft Learn
- You have your Domain Controllers onboarded to Azure Arc and the AAD Password Protection Proxy servers onboarded.
- More Details: Azure Arc-enabled servers Overview - Azure Arc | Microsoft Learn
Now, on to what you need to be able to collect the data, then visualize it (the last part is easy, you're going to cheat and steal my work). First, lets show you what it looks like so you can see if you want to continue on.
What's it look like?!
The first screenshot is the landing page for the workbook. It gives a quick overview of the number of attempts in the last X days (set by you, the user) based on data going to the specific Workspace and Subscription.
If you click on a tile, it will give you a list of the Pass/Fail in that specific event type (more details here)
As well as if you click the top failed/audited user, you get more details into their password success/fail attempts.
The second tab (and third) mirror each other in functionality, but are dependent on what setting you have chosen for the tenant audit/enforce option. My examples below will be for a tenant in Enforce mode.
Password Failures provide a timeline view based on attempts hitting specific DCs, and nice timeline, as well as the actual events below.
Rendered description is the specific text from the Event logged, stating what block list that the user hit, either Tenant, Global Azure AD, or the combined list. Examples below:
The changed password for the specified user was rejected because it matched at least one of the tokens present in the per-tenant banned password list of the current Azure password policy. UserName: johher FullName: Johan Hernshaw
The reset password for the specified user was rejected because it matched multiple tokens in the combined Microsoft global and per-tenant banned password list of the current Azure password policy. UserName: elidev FullName: Elizabeth Devenish
The changed password for the specified user was rejected because it matched at least one of the tokens present in the Microsoft global banned password list of the current Azure password policy. UserName: wiabre FullName: Wiatt Breckenridge
Finally, the last tab shows the Synchronization Status of both the Proxy(ies) and the Domain Controller agent syncs. These are relatively self-explanatory, but the Proxy agent does a heartbeat sync once every 9-ish hours, and the DCs sync every hour (at most). Anything above that will flag as Unhealthy, and anything above 9 hours will show unhealth for the proxy.
Now, we've gone through everything in the workbook. Your next question is: How do I get this thing?! This looks AWESOME!
That part's easy. First things first:
The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.
Secondly, go to my GitHub page on an Edge profile that you're able to deploy into a Resource Group with. Click the button.
Azure will automatically leverage the data in the ARM template, excluding the "Workspace Name". You need the full Resource ID for this field.
You can get that ResourceID from either the Resource Graph, or on the Resource itself. Navigate to your Log Analytics Workspace, click Properties, and then click the Copy button next to Resource ID:
Finally, without further ado, here's the link to GitHub where you can click the deploy button. Inside the Workbooks folder, there is the ARM template for the DCR+Workbook, an ARM template for the Workbook, the ARM template for the DCR, and the Gallery template for the Workbook.
Azure Monitor Workbooks (github.com)
Okay, I've deployed it, am I done?
Almost. The last thing you need to do is ensure that this Data Collection Rule is associated with every Domain Controller and every AAD Password Protection Proxy machine, or their event forwarder server.
To do that, in the Azure Portal, navigate to "Monitor" then scroll down to Data Collection Rules. Select the recently deployed DCR and then go to "Resources". Click Add and search for all appropriate resources as noted above.
Click <Apply> then data will start to flow in a matter of minutes.
That's it, you're done! Enjoy your workbook and easy reporting on AAD Password Protection.
p.s. - This is possible to accomplish via MMA, but that agent is on an End Of Life path, so details aren't being provided.
Until next time!