I travel a lot in Italy, and many times I see multiple customers that are asking for the same requests. One request is the possibility to block some specific passwords in Active Directory. Unfortunately too many users have BAD habits and use the company name in the password field for example. In those cases, the Security team wants to block some easy and well known passwords.
In Active Directory you can Enable some GPO that can help you to implement strong password, like:
However, with a minimum password length of 8 chars and these GPOs, we unfortunately can't avoid the use of some well known Passwords like:
"P@$$w0rd" or "Pippo01!"
Azure AD Password Protection is finally what we need to enhance the password policies in your organization. With this feature, you can use the same checks for passwords in AzureAD on your on-premises Active Directory implementation. You can enforce both the Microsoft Global Banned Passwords and Custom banned-passwords list stored in Azure AD tenant.
What are the Design Principles?
Azure AD Password Protection is based on multiple design principles available here, but I would like to emphasize some of the most important ones:
How does it work?
The Azure Password policies are stored in Sysvol as shown here:
It is not necessary that all the DCs are able to comunicate with the Azure AD Password Protection Proxy Server, if you have a very complex Active Directory environments, you can configure a minimum of one DC per domain to be able to connect to the AAD Password Protection Proxy Servers, and the other DCs will take the new policy from the Sysvol replication. However, on these DCs you will see some warning of this type:
Log Name: Microsoft-AzureADPasswordProtection-DCAgent/Admin
Source: Microsoft-AzureADPasswordProtection-DCAgent
Date: 15/05/2019 23:37:39
Event ID: 30018
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: ITDC01.IT.CONTOSO.COM
Description:
One or more Azure AD Password Protection Proxy servers were found in the forest but this machine was unable to establish network connectivity to any of them.
This operation will be run periodically and may succeed in future attempts
This may be an expected and benign condition depending on how the network environment is configured.
This domain controller may be able to obtain updated password policies via sysvol replication if other domain controllers do have proxy connectivity.
How can I deploy the Azure AD Password Protection?
The following is a an example of a simple scenario to understand how-to deploy this feature:
Download the Azure AD Password Protection software (Proxy and DC Agent):
PS C:\> Get-Command -Module AzureADPasswordProtection CommandType Name ModuleName ----------- ---- ---------- Function Get-AzureADPasswordProtectionSummaryReport AzureADPasswordProtection Cmdlet Get-AzureADPasswordProtectionDCAgent AzureADPasswordProtection Cmdlet Get-AzureADPasswordProtectionProxy AzureADPasswordProtection Cmdlet Get-AzureADPasswordProtectionProxyConfiguration AzureADPasswordProtection Cmdlet Register-AzureADPasswordProtectionForest AzureADPasswordProtection Cmdlet Register-AzureADPasswordProtectionProxy AzureADPasswordProtection Cmdlet Set-AzureADPasswordProtectionProxyConfiguration AzureADPasswordProtection
Set-AzureADPasswordProtectionProxyConfiguration –StaticPort <portnumber>This command must be executed on each proxy Server, and require the restart of the Proxy Service.
Register-AzureADPasswordProtectionProxy -AccountUpn 'admin@<yourtenant>.onmicrosoft.com'This registration of the Proxy Service is necessary only one time, for the first authentication on the tenant.
# IF YOU ARE CONNECTED TO THE PROXY SERVER WITH ADMIN CREDENTIAL # OF THE ROOT DOMAIN, THEN YOU CAN USE THIS COMMAND: Register-AzureADPasswordProtectionForest -AccountUpn 'admin@<yourtenant>.onmicrosoft.com' # OTHERWISE YOU CAN SPECIFY THE ROOT DOMAIN CREDENTIALS: Register-AzureADPasswordProtectionForest -AccountUpn 'admin@<yourtenant>.onmicrosoft.com' -ForestCredential $(Get-Credential)This command require the a Global Admin of the tenant and a Domain Admins of the Root Domain.
NOTE: keep in mind that when you write in the custom banned password the word "fabrikam", you are adding more than that, also the "f@br1k@m" is banned! So we made also common char substitution. The Custom password field, can contain up to 1000 words case-insensitive.
Nice to Know
Log Name: Microsoft-AzureADPasswordProtection-DCAgent/Admin
Source: Microsoft-AzureADPasswordProtection-DCAgent
Event ID: 30009
Task Category: None
Level: Information
Keywords:
User: SYSTEM
Computer: ITDC01.IT.CONTOSO.COM
Description:
The reset password for the specified user would normally have been rejected because it matches at least one of the tokens present in the Microsoft global banned password list of the current Azure password policy. The current Azure password policy is configured for audit-only mode so the password was accepted.
UserName: ITOPSTALK
FullName: ITOPSTALK
Log Name: Microsoft-AzureADPasswordProtection-DCAgent/AdminNo Password will be blocked until you will change the configuration on the Tenant from "Audit Mode" to "Enforce".
Source: Microsoft-AzureADPasswordProtection-DCAgent
Event ID: 30007
Task Category: None
Level: Information
Keywords:
User: SYSTEM
Computer: ITDC01.IT.CONTOSO.COM
Description:
The reset password for the specified user would normally have been rejected because it matches at least one of the tokens present in the per-tenant banned password list of the current Azure password policy. The current Azure password policy is configured for audit-only mode so the password was accepted.
UserName: ITOPSTALK
FullName: ITOPSTALK
Scenarios
Some Customers think that because Azure AD Password protection On-Premises, work with DC Agents they can deploy Agents only on a single AD Site to protect for example a Branch Office, but this is a partial deployment and it is not recommended. In this scenario a customer want to deploy DC Agents only on the NY-SITE, graphics always help to understand better:
As you can see one DC in the IT.CONTOSO.DOMAIN don't have the DC Agent, because the change password can happens on any DC, this configuration is not secure and not recommended.
If you want to implement a more secure scenario, you need to install the DC Agent on each DCs of the forest, like in this example:
As you can see here, we have secured all the entire forest by installing the DC agent on each DC in every domains.
If you want to apply the Azure AD Password Protection only to one domain in your forest, you need in any case to deploy the Proxy Services for the Forest and then deploy the DC Agent only on all the DCs in that domain to secure it, in this example HR.CONTOSO.COM. (You should not think to deploy the DC agent only on the PDC, for example):
Last but not least, remember to alert your users about the Policy password change before switch the configuration in the Tenant from "Audit mode" to "Enforce".
I hope that all this info, will help you to deploy this great feature in your Environments.
Reference
The official reference:
Enforce Azure AD password protection for Windows Server Active Directory
Azure AD Password Protection troubleshooting
Azure AD Password Protection monitoring and logging
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.