Step-By-Step: Implementing Azure AD Password Protection On-Premises

Published May 23 2019 12:00 AM 51.1K Views

I travel a lot in Italy, and many times I see multiple customers that are asking for the same requests. One request is the possibility to block some specific passwords in Active Directory. Unfortunately too many users have BAD habits and use the company name in the password field for example. In those cases, the Security team wants to block some easy and well known passwords.

 

In Active Directory you can Enable some GPO that can help you to implement strong password, like:

  1.  Minimum Password Length
  2.  Minimum Password Age
  3.  Maximum password Age
  4.  Password must meet complexity requirements
  5.  Enforce Password History

 

However, with a minimum password length of 8 chars and these GPOs, we unfortunately can't avoid the use of some well known Passwords like:
 

"P@$$w0rd" or "Pippo01!"

 

Azure AD Password Protection is finally what we need to enhance the password policies in your organization. With this feature, you can use the same checks for passwords in AzureAD on your on-premises Active Directory implementation. You can enforce both the Microsoft Global Banned Passwords and Custom banned-passwords list stored in Azure AD tenant.

 

What are the Design Principles?
 

Azure AD Password Protection is based on multiple design principles available here, but I would like to emphasize some of the most important ones:

  1. Your DCs never talk directly with Azure.
    (you need to install the Azure AD Password Protection Proxy Service)
  2. Your DCs will be never be exposed on the internet.
  3. There are no ports listening on the Domain Controllers for the Azure AD Password Protection DC Agent.
  4. All the services of the Azure AD Password Protection (Proxy Service and DC Agent) do not require any specific user to work, they use the  LOCAL SYSTEM account, but you will need a Global Admin of your tenant and a Domain Admins to register the Proxy Services and the Forest, but only one time.
  5. Do not require any schema update or specific DFL/FFL.
  6. The deployment of this solution supports the incremental deployments.

 

How does it work?

 

  1. A user requests a password change to a Domain Controller.
  2. The DC Agent Password Filter dll, receive from the OS, the password validation requests, and forward them to the  Azure AD Password Protection DC Agent, installed on the DC. This Agent then validate if the password is compliance with the locally stored Azure password policy.
  3. The Agent on the DC every 1h locate via the SCP (Service Connection Point) in the forest the Azure AD Password Protection Proxy Service to download a fresh copy of the Azure password policy.
  4. The Agent on the DC receives the new version of the Azure password policy from the proxy service and stores it in the Sysvol enabling this new policy to be replicated to all other DCs in the same domain.

The Azure Password policies are stored in Sysvol as shown here:

Sysvol_AADPP.png
It is not necessary that all the DCs are able to comunicate with the Azure AD Password Protection Proxy Server, if you have a very complex Active Directory environments, you can configure a minimum of one DC per domain to be able to connect to the AAD Password Protection Proxy Servers, and the other DCs will take the new policy from the Sysvol replication. However, on these DCs you will see some warning of this type:

Log Name:      Microsoft-AzureADPasswordProtection-DCAgent/Admin
Source:        Microsoft-AzureADPasswordProtection-DCAgent
Date:          15/05/2019 23:37:39
Event ID:      30018
Task Category: None
Level:         Warning
Keywords:     
User:          SYSTEM
Computer:      ITDC01.IT.CONTOSO.COM
Description:
One or more Azure AD Password Protection Proxy servers were found in the forest but this machine was unable to establish network connectivity to any of them.
 This operation will be run periodically and may succeed in future attempts
 This may be an expected and benign condition depending on how the network environment is configured.
 This domain controller may be able to obtain updated password policies via sysvol replication if other domain controllers do have proxy connectivity.

 

How can I deploy the Azure AD Password Protection?

The following is a an example of a simple scenario to understand how-to deploy this feature:

AADPP_schema.png

 

  1. Since your DCs never talk directly with Azure you need at least 2 Azure AD Password Protection Proxy Server per Forest for high availability and should be placed in the Root Domain. The Azure AD Password Protection Proxy Servers must be Windows Server 2012R2 or above.

  2. Download the Azure AD Password Protection software (Proxy and DC Agent):


    AADPP_software.png

     
  3.  Be sure to have installed .NET Framework 4.7 at minimum on these Proxy Servers.

  4. All the server DCs and Proxy Services require the Universal C runtime for Windows.
     
  5. Install the Proxy Service (AzureADPasswordProtectionProxySetup.exe) on the two Servers, joined to the root domain:
    Install_Proxy_1.pngInstall_Proxy_1.png
    Install_Proxy_2.png
    Install_Proxy_3.png
    You can also complete this via Silent installation from the command line

    With the installation of the Proxy Service completed, you can open PowerShell and can see a new module, AzureADPasswordProtection, installed.
     
    PS C:\> Get-Command -Module AzureADPasswordProtection
    
    CommandType     Name                                               ModuleName
    -----------     ----                                               ----------
    Function        Get-AzureADPasswordProtectionSummaryReport         AzureADPasswordProtection
    Cmdlet          Get-AzureADPasswordProtectionDCAgent               AzureADPasswordProtection
    Cmdlet          Get-AzureADPasswordProtectionProxy                 AzureADPasswordProtection
    Cmdlet          Get-AzureADPasswordProtectionProxyConfiguration    AzureADPasswordProtection
    Cmdlet          Register-AzureADPasswordProtectionForest           AzureADPasswordProtection
    Cmdlet          Register-AzureADPasswordProtectionProxy            AzureADPasswordProtection
    Cmdlet          Set-AzureADPasswordProtectionProxyConfiguration    AzureADPasswordProtection
     
    You can also open the event log and can see new Event logs for the installed Service:
     
    AADPPP_EventLogs.png

  6. All the DCs must be at least Windows Server 2012 or above. You now need to install the package "AzureADPasswordProtectionDCAgentSetup.msi":
    Install_Agent_1.png
    Install_Agent_2.png
    Install_Agent_3_Restart.png

    As you can see the DC Agents installation require the reboot of the DC and also in this case if you want you can use the Silent installation with the command line. But please remember to put the /norestart parameter to avoid the immediate restart of the DC.

    After the installation, on the DC you will see a new Eventlog for the agent:
    AADPPDCA_Eventlog.png

  7. By default the Azure AD Password Protection DC Agent use the TCP port 135 and the dynamic ports range to connect to the Azure AD Password Protection Proxy Servers, so this ports must be open at the network level, but if you prefer, you can configure the proxy Service to Listen on a specific ports.
    Set-AzureADPasswordProtectionProxyConfiguration –StaticPort <portnumber>
    This command must be executed on each proxy Server, and require the restart of the Proxy Service.

  8. You need to register on your Azure AD Tenant the two Proxy Server with a simple PowerShell cmdlet on each proxy:
    Register-AzureADPasswordProtectionProxy -AccountUpn 'admin@<yourtenant>.onmicrosoft.com'
    This registration of the Proxy Service is necessary only one time, for the first authentication on the tenant.

  9. You need to register the Forest on Azure AD so this command must be lunched from only one of the Proxy Servers:
    # IF YOU ARE CONNECTED TO THE PROXY SERVER WITH ADMIN CREDENTIAL
    # OF THE ROOT DOMAIN, THEN YOU CAN USE THIS COMMAND: 
    Register-AzureADPasswordProtectionForest -AccountUpn 'admin@<yourtenant>.onmicrosoft.com' 
    
    # OTHERWISE YOU CAN SPECIFY THE ROOT DOMAIN CREDENTIALS: 
    Register-AzureADPasswordProtectionForest -AccountUpn 'admin@<yourtenant>.onmicrosoft.com' -ForestCredential $(Get-Credential)
    This command require the a Global Admin of the tenant and a Domain Admins of the Root Domain.

  10. You can now connect to the https://portal.azure.com and configure the Azure AD Password Protection:
    Azure_AD_PP_Portal_Config.png

NOTE: keep in mind that when you write in the custom banned password the word "fabrikam", you are adding more than that, also the "f@br1k@m" is banned! So we made also common char substitution. The Custom password field, can contain up to 1000 words case-insensitive.

 

Nice to Know

 

  1. The Proxy Service of Azure AD Password Protection can work with HTTPS proxy servers in your environment, but actually the Azure AD Password Protection proxy service doesn't support the use of specific credentials for connecting to an HTTPS proxy.

  2. By default the Azure AD Password Protection is set to "Audit Mode" on the Tenant so, if you deploy a proxy service and install one agent on a DC (only for testing purpose), if the password match the Microsoft Global Banned Password list, the DC Agent will generate only events like this one:

    Log Name:      Microsoft-AzureADPasswordProtection-DCAgent/Admin
    Source:        Microsoft-AzureADPasswordProtection-DCAgent
    Event ID:      30009
    Task Category: None
    Level:         Information
    Keywords:     
    User:          SYSTEM
    Computer:      ITDC01.IT.CONTOSO.COM
    Description:
    The reset password for the specified user would normally have been rejected because it matches at least one of the tokens present in the Microsoft global banned password list of the current Azure password policy. The current Azure password policy is configured for audit-only mode so the password was accepted.
     
     UserName: ITOPSTALK
     FullName: ITOPSTALK
    Or like this, if the password match your custom password lists on the tenant:

    Log Name:      Microsoft-AzureADPasswordProtection-DCAgent/Admin
    Source:        Microsoft-AzureADPasswordProtection-DCAgent
    Event ID:      30007
    Task Category: None
    Level:         Information
    Keywords:     
    User:          SYSTEM
    Computer:      ITDC01.IT.CONTOSO.COM
    Description:
    The reset password for the specified user would normally have been rejected because it matches at least one of the tokens present in the per-tenant banned password list of the current Azure password policy. The current Azure password policy is configured for audit-only mode so the password was accepted.
     
     UserName: ITOPSTALK
     FullName: ITOPSTALK
    No Password will be blocked until you will change the configuration on the Tenant from "Audit Mode" to "Enforce".

  3. If your DCs are all 2012 or above but you are using FRS for replicating the SYSVOL, upgrade first to DFSR to use Azure AD Password Protection, because FRS is deprecated.

  4. Have you already two AD connect servers in your Environment? Yes? So you can install the proxy Service on this 2 Servers if you want, but start always from the one in staging mode ;). 

  5. Azure AD Password Protection for Active Directory require the Azure AD Premium licences P1 or P2.

  6. Azure AD Password Protection is not a real-time policy application engine, you can have a delay in the application of the new Azure Password Policy in your on-premises AD environment.

  7. If you want to force a DC to download a fresh copy of the Azure Password Policy from the Proxy Service, you can restart the DC Agent.

 

Scenarios

Some Customers think that because Azure AD Password protection On-Premises, work with DC Agents they can deploy Agents only on a single AD Site to protect for example a Branch Office, but this is a partial deployment and it is not recommended. In this scenario a customer want to deploy DC Agents only on the NY-SITE, graphics always help to understand better:

scenario1.png

As you can see one DC in the IT.CONTOSO.DOMAIN don't have the DC Agent, because the change password can happens on any DC, this configuration is not secure and not recommended.

 

If you want to implement a more secure scenario, you need to install the DC Agent on each DCs of the forest, like in this example:

scenario2.png

 

As you can see here, we have secured all the entire forest by installing the DC agent on each DC in every domains.


If you want to apply the Azure AD Password Protection only to one domain in your forest, you need in any case to deploy the Proxy Services for the Forest and then deploy the DC Agent only on all the DCs in that domain to secure it, in this example HR.CONTOSO.COM. (You should not think to deploy the DC agent only on the PDC, for example):

scenario3.png


Last but not least, rem
ember to alert your users about the Policy password change before switch the configuration in the Tenant from "Audit mode" to "Enforce".

I hope that all this info, will help you to deploy this great feature in your Environments. 

 

Reference

The official reference:

Enforce Azure AD password protection for Windows Server Active Directory

Azure AD Password Protection troubleshooting

Azure AD Password Protection monitoring and logging

 

 

32 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-639208%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-639208%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20write-up%2C%20this%20looks%20great.%20One%20question%20though%2C%20is%20there%20a%20reason%20this%20is%20not%20bundled%20into%20the%20Azure%20AD%20Connect%20software%20that%20most%20of%20us%20already%20have%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-643672%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-643672%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F347756%22%20target%3D%22_blank%22%3E%40DKord%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3Emany%20thanks%20for%20your%20question!%20In%20my%20honest%20opinion%20I%20would%20like%20to%20say......why%20not%3F%20%3A)%3C%2Fimg%3E%3CBR%20%2F%3EBut%20I%20need%20to%20be%20honest%2C%20actually%20this%20two%20services%20(Azure%20AD%20Password%20Protection%20Proxy%20and%20AD%20Connect)%20are%20in%20two%20different%20software%20packages%2C%20so%20%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3Ewe%20will%20see%20in%20the%20future%20if%20something%20will%20change.%20Thanks%20again.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-651318%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-651318%22%20slang%3D%22en-US%22%3E%3CP%3EHow%20does%20this%20DC%20agent%20behaves%2C%20in%20conjunction%20with%20the%26nbsp%3BMicrosoft%20Password%20Change%20Notification%20tool%3F%3CBR%20%2F%3EI'm%20guessing%20there%20is%20no%20issues%2C%20as%20it%20basically%20uses%20the%20same%20methodology%20as%20the%20Azure%20AD%20connect%20sync%2C%20to%20syncronize%20hashes%20to%20the%20cloud%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-652136%22%20slang%3D%22en-US%22%3ERE%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-652136%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F151618%22%20target%3D%22_blank%22%3E%40Micki%20Wulffeld%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3Ethe%20Microsoft%20Password%20change%20Notification%20Service%20use%20a%20Password%20filter%20(Pcnsflt.dll)%2C%20the%20password%20filter%20is%20used%20to%20obtain%20passwords%20from%20Active%20Directory.%20%3CSTRONG%3EThe%20password%20notification%20filter%20runs%20simultaneously%20with%20other%20filters%20that%20are%20running%20on%20the%20domain%20controller%3C%2FSTRONG%3E%20(this%20means%20that%20can%20work%20with%20the%20Azure%20AD%20Password%20Protection%20DC%20Agent%20Password%20Filter).%3C%2FP%3E%0A%3CP%3EReference%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-identity-manager%2Finfrastructure%2Fmim2016-password-management%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-identity-manager%2Finfrastructure%2Fmim2016-password-management%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlso%20i%20have%20found%20this%3A%3CBR%20%2F%3E%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3C%2FP%3E%0A%3CP%3EQuestion%3A%20Is%20it%20supported%20to%20install%20Azure%20AD%20Password%20Protection%20side%20by%20side%20with%20other%20password-filter-based%20products%3F%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EYes.%20Support%20for%20multiple%20registered%20password%20filter%20dlls%20is%20a%20core%20Windows%20feature%20and%20not%20specific%20to%20Azure%20AD%20Password%20Protection.%3C%2FSTRONG%3E%20All%20registered%20password%20filter%20dlls%20must%20agree%20before%20a%20password%20is%20accepted.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EReference%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-password-ban-bad-on-premises-faq%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-password-ban-bad-on-premises-faq%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESo%20at%20the%20end%2C%20there%20are%20no%20reasons%20why%20they%20should%20not%20work%20together%2C%20but%20if%20you%20will%20find%20an%20issue%2C%20we%20are%20here%20to%20solve%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-657869%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-657869%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20article.%20One%20question.%20We%20have%20an%20empty%20root%20domain%2C%20you%20mention%20the%20proxy%20needs%20to%20be%20a%20member%20of%20the%20root%20domain%3F%20Can%20it%20not%20be%20a%20member%20of%20the%20child%20domain%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-659336%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-659336%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F351822%22%20target%3D%22_blank%22%3E%40AndyWallace12030%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3Ecorrect%3C%2FSPAN%3E%2C%20in%20my%20scenarios%20I%20placed%20the%20Proxy%20in%20the%20root%20domain%20%2C%20but%20if%20you%20already%20have%2C%20for%20example%2C%20the%20Azure%20AD%20Connect%20Servers%20in%20a%20child%20domain%20like%20%3CSTRONG%3EIT.CONTOSO.COM%2C%20%3C%2FSTRONG%3Eyou%20can%20install%20the%20%3CSTRONG%3EAzure%20AD%20Password%20Protection%20proxy%20service%3C%2FSTRONG%3E%20on%20this%20servers%20and%20it%20works%2C%20because%20the%20other%20DCs%20in%20the%20forest%20are%20able%20to%20locate%20them%20via%20the%20%3CSTRONG%3ESCP%3C%2FSTRONG%3E%20(Service%20Connection%20Point)%20published%20in%20AD%2C%20even%20if%20the%20proxy%20are%20in%20the%20Child%20domain.%3C%2FP%3E%0A%3CP%3EBoth%20scenarios%20(Proxy%20in%20the%20root%20or%20proxy%20in%20the%20child%20domain)%20are%20supported.%3C%2FP%3E%0A%3CP%3EMany%20thanks%20for%20your%20question!%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-668854%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-668854%22%20slang%3D%22en-US%22%3E%3CP%3Enice%20post%20Dado%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-675717%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-675717%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20mention%20that%20%22%3CFONT%3EY%3C%2FFONT%3E%3CSPAN%3Eou%20can%20configure%20a%20minimum%20of%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3Eone%20DC%20per%20domain%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3Band%20the%20other%20DCs%20will%20take%20the%20new%20policy%20from%20the%20Sysvol%20replication%22%20but%20then%20state%20%22As%20you%20can%20see%20one%20DC%20in%20the%26nbsp%3B%3CSTRONG%3EIT.CONTOSO.DOMAIN%3C%2FSTRONG%3E%26nbsp%3Bdon't%20have%20the%20DC%20Agent%2C%20because%20the%20change%20password%20can%20happens%20on%20any%20DC%2C%20this%20configuration%26nbsp%3B%3CU%3Eis%20not%20secure%20and%20not%20recommended%3C%2FU%3E.%22.%26nbsp%3B%20%26nbsp%3BThis%20seems%20conflicting%3F%26nbsp%3B%20%26nbsp%3BIs%20the%20one%20DC%20option%20for%20testing%20only%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks!%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-563342%22%20slang%3D%22en-US%22%3EStep-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-563342%22%20slang%3D%22en-US%22%3E%3CP%3EI%20travel%20a%20lot%20in%20Italy%2C%20and%20many%20times%20I%20see%20multiple%20customers%20that%20are%20asking%20for%20the%20same%20requests.%20One%20request%20is%20the%20possibility%20to%20block%20some%20specific%20passwords%20in%20Active%20Directory.%20Unfortunately%20too%20many%20users%20have%26nbsp%3B%3CSTRONG%3EBAD%3C%2FSTRONG%3E%20habits%20and%20use%20the%20company%20name%20in%20the%20password%20field%20for%20example.%20In%20those%20cases%2C%20the%20Security%20team%20wants%20to%20block%20some%20easy%20and%20well%20known%20passwords.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20Active%20Directory%20you%20can%20Enable%20some%20GPO%20that%20can%20help%20you%20to%20implement%20strong%20password%2C%20like%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%26nbsp%3B%3CA%20title%3D%22Minimum%20Password%20Length%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fsecurity-policy-settings%2Fminimum-password-length%3FWT.mc_id%3DITOPSTALK-blog-abartolo%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMinimum%20Password%20Length%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%26nbsp%3B%3CA%20title%3D%22Minimum%20Password%20Age%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fsecurity-policy-settings%2Fminimum-password-age%3FWT.mc_id%3DITOPSTALK-blog-abartolo%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMinimum%20Password%20Age%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%26nbsp%3B%3CA%20title%3D%22Maximum%20password%20Age%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fsecurity-policy-settings%2Fmaximum-password-age%3FWT.mc_id%3DITOPSTALK-blog-abartolo%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMaximum%20password%20Age%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%26nbsp%3B%3CA%20title%3D%22Password%20must%20meet%20complexity%20requirements%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fsecurity-policy-settings%2Fpassword-must-meet-complexity-requirements%3FWT.mc_id%3DITOPSTALK-blog-abartolo%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EPassword%20must%20meet%20complexity%20requirements%3C%2FFONT%3E%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20title%3D%22Enforce%20Password%20Hystory%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fsecurity-policy-settings%2Fenforce-password-history%3FWT.mc_id%3DITOPSTALK-blog-abartolo%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%26nbsp%3BEnforce%20Password%20History%3C%2FFONT%3E%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHowever%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%2C%20with%20a%20minimum%20password%20length%20of%208%20chars%20and%20these%20GPOs%2C%20we%20unfortunately%20can't%20avoid%20the%20use%20of%20some%20well%20known%20Passwords%20like%3A%3C%2FFONT%3E%3CBR%20%2F%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%22P%40%24%24w0rd%22%20%3C%2FFONT%3E%3C%2FSTRONG%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3Eor%3C%2FFONT%3E%3CSTRONG%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%20%22Pippo01!%22%3C%2FFONT%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EAzure%20AD%20Password%20Protection%3C%2FSTRONG%3E%20is%20finally%20what%20we%20need%20to%20enhance%20the%20password%20policies%20in%20your%20organization.%20With%20this%20feature%2C%20you%20can%20use%26nbsp%3B%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3Ethe%20same%20checks%20for%20passwords%20in%20AzureAD%20on%20your%20on-premises%20Active%20Directory%20implementation.%20You%20can%20enforce%3C%2FFONT%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%20both%20the%20%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EMicrosoft%20Global%20Banned%20Passwords%20%3C%2FSPAN%3Eand%20Custom%20banned-passwords%20list%20stored%20in%20Azure%20AD%20tenant.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3E%3CSTRONG%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CFONT%20size%3D%225%22%3EWhat%20are%20the%20Design%20Principles%3F%3C%2FFONT%3E%3CBR%20%2F%3E%26nbsp%3B%3C%2FFONT%3E%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%3B%22%3E%3CSTRONG%3EAzure%20AD%20Password%20Protection%3C%2FSTRONG%3E%20is%20based%20on%20multiple%20design%20principles%20%3CA%20title%3D%22Azure%20AD%20Password%20Protection%20design%20principles%22%20style%3D%22background-color%3A%20transparent%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23146cac%3B%20text-decoration%3A%20underline%3B%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-password-ban-bad-on-premises%23design-principlesunfortunately%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Eavailable%20here%3C%2FA%3E%2C%20but%20I%20would%20like%20to%20%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%22%3Eemphasize%20some%20%3C%2FFONT%3Eof%20the%20most%20important%20ones%3A%3C%2FP%3E%0A%3COL%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20margin-bottom%3A%2012px%3B%20margin-top%3A%200px%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%0A%3CLI%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%22%3EYour%20DCs%20never%20talk%20directly%20with%20Azure.%20%3CBR%20%2F%3E(you%20need%20to%20install%20the%20%3CSTRONG%3EAzure%20AD%20Password%20Protection%20Proxy%20Service%3C%2FSTRONG%3E)%3C%2FLI%3E%0A%3CLI%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%22%3EYour%20DCs%20will%20be%20never%20be%20exposed%20on%20the%20internet.%3C%2FLI%3E%0A%3CLI%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%22%3EThere%20are%20no%20ports%20listening%20on%20the%20Domain%20Controllers%20for%20the%20%3CSTRONG%3EAzure%20AD%20Password%20Protection%20DC%20Agent.%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3CLI%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%22%3EAll%20the%20services%20of%20the%20Azure%20AD%20Password%20Protection%20(Proxy%20Service%20and%20DC%20Agent)%20do%20not%20require%20any%20specific%20user%20to%20work%2C%20they%20use%20the%26nbsp%3B%20%3CSTRONG%3ELOCAL%20SYSTEM%3C%2FSTRONG%3E%20account%2C%20but%20you%20will%20need%20a%20Global%20Admin%20of%20your%20tenant%20and%20a%20Domain%20Admins%20to%20register%20the%20Proxy%20Services%20and%20the%20Forest%2C%20but%20only%20one%20time.%3C%2FLI%3E%0A%3CLI%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%22%3EDo%20not%20require%20any%20schema%20update%20or%20specific%20DFL%2FFFL.%3C%2FLI%3E%0A%3CLI%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%22%3EThe%20deployment%20of%20this%20solution%20supports%20the%20incremental%20deployments.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%3B%22%3E%3CFONT%20size%3D%225%22%3E%3CSTRONG%3EHow%20does%20it%20work%3F%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%20style%3D%22text-align%3A%20left%3B%20color%3A%20%23333333%3B%20text-transform%3A%20none%3B%20line-height%3A%201.7142%3B%20text-indent%3A%200px%3B%20letter-spacing%3A%20normal%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20text-decoration%3A%20none%3B%20word-spacing%3A%200px%3B%20white-space%3A%20normal%3B%20box-sizing%3A%20border-box%3B%20orphans%3A%202%3B%20-webkit-text-stroke-width%3A%200px%3B%22%3EA%20user%20requests%20a%20password%20change%20to%20a%20Domain%20Controller.%3C%2FLI%3E%0A%3CLI%20style%3D%22text-align%3A%20left%3B%20color%3A%20%23333333%3B%20text-transform%3A%20none%3B%20line-height%3A%201.7142%3B%20text-indent%3A%200px%3B%20letter-spacing%3A%20normal%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20text-decoration%3A%20none%3B%20word-spacing%3A%200px%3B%20white-space%3A%20normal%3B%20box-sizing%3A%20border-box%3B%20orphans%3A%202%3B%20-webkit-text-stroke-width%3A%200px%3B%22%3EThe%20%3CSTRONG%3EDC%20Agent%20Password%20Filter%20dll%3C%2FSTRONG%3E%2C%20receive%20from%20the%20OS%2C%20the%20password%20validation%20requests%2C%20and%20forward%20them%20to%20the%26nbsp%3B%20%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%22%3E%3CSTRONG%3EAzure%20AD%20Password%20Protection%20DC%20Agent%3C%2FSTRONG%3E%2C%20installed%20on%20the%20DC.%20This%20Agent%20then%20validate%20if%20the%20password%20is%20compliance%20with%20the%20locally%20stored%3C%2FFONT%3E%20Azure%20password%20policy.%3C%2FLI%3E%0A%3CLI%20style%3D%22text-align%3A%20left%3B%20color%3A%20%23333333%3B%20text-transform%3A%20none%3B%20line-height%3A%201.7142%3B%20text-indent%3A%200px%3B%20letter-spacing%3A%20normal%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20text-decoration%3A%20none%3B%20word-spacing%3A%200px%3B%20white-space%3A%20normal%3B%20box-sizing%3A%20border-box%3B%20orphans%3A%202%3B%20-webkit-text-stroke-width%3A%200px%3B%22%3EThe%20Agent%20on%20the%20DC%20every%201h%20locate%20via%20the%20%3CSTRONG%3ESCP%3C%2FSTRONG%3E%20(Service%20Connection%20Point)%20in%20the%20forest%20the%20%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%22%3EAzure%20AD%20Password%20Protection%20Proxy%20Service%3C%2FFONT%3E%3C%2FSTRONG%3E%3C%2FFONT%3E%20to%20download%20a%20fresh%20copy%20of%20the%20%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EAzure%20password%20policy.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20style%3D%22text-align%3A%20left%3B%20color%3A%20%23333333%3B%20text-transform%3A%20none%3B%20line-height%3A%201.7142%3B%20text-indent%3A%200px%3B%20letter-spacing%3A%20normal%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20text-decoration%3A%20none%3B%20word-spacing%3A%200px%3B%20white-space%3A%20normal%3B%20box-sizing%3A%20border-box%3B%20orphans%3A%202%3B%20-webkit-text-stroke-width%3A%200px%3B%22%3EThe%20Agent%20on%20the%20DC%20receives%20the%20new%20version%20of%20the%20Azure%20password%20policy%20from%20the%20proxy%20service%20and%20stores%20it%20in%20the%20%3CSTRONG%3ESysvol%3C%2FSTRONG%3E%20enabling%20this%20new%20policy%20to%20be%20replicated%20to%20all%20other%20DCs%20in%20the%20same%20domain.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%3B%22%3EThe%20Azure%20Password%20policies%20are%20stored%20in%20Sysvol%20as%20shown%20here%3A%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20856px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F113934i383DAA0483476697%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Sysvol_AADPP.png%22%20title%3D%22Sysvol_AADPP.png%22%20%2F%3E%3C%2FSPAN%3E%3CBR%20%2F%3EIt%20is%20not%20necessary%20that%20all%20the%20DCs%20are%20able%20to%20comunicate%20with%20the%20%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%22%3EAzure%20AD%20Password%20Protection%20Proxy%20Server%2C%20%3C%2FFONT%3E%3C%2FSTRONG%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%22%3Ei%3C%2FFONT%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%22%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3Ef%20you%20have%20a%20very%20complex%20Active%20Directory%20environments%2C%20y%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FSTRONG%3Eou%20can%20configure%20a%20minimum%20of%20%3CSTRONG%3Eone%20DC%20per%20domain%3C%2FSTRONG%3E%20to%20be%20able%20to%20connect%20to%20the%20%3CSTRONG%3EAAD%20Password%20Protection%20Proxy%20Servers%2C%20%3C%2FSTRONG%3Eand%20the%20other%20DCs%20will%20take%20the%20new%20policy%20from%20the%20Sysvol%20replication.%20However%2C%20on%20these%20DCs%20you%20will%20see%20some%20warning%20of%20this%20type%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CBLOCKQUOTE%3E%0A%3CDIV%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CSTRONG%3E%3CFONT%20size%3D%222%22%3ELog%20Name%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Microsoft-AzureADPasswordProtection-DCAgent%2FAdmin%3C%2FFONT%3E%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CFONT%20size%3D%222%22%3ESource%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Microsoft-AzureADPasswordProtection-DCAgent%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20size%3D%222%22%3EDate%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%2015%2F05%2F2019%2023%3A37%3A39%3C%2FFONT%3E%3CBR%20%2F%3E%3CSTRONG%3E%3CFONT%20size%3D%222%22%3EEvent%20ID%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%2030018%3C%2FFONT%3E%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CFONT%20size%3D%222%22%3ETask%20Category%3A%20None%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20size%3D%222%22%3ELevel%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Warning%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20size%3D%222%22%3EKeywords%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20size%3D%222%22%3EUser%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20SYSTEM%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20size%3D%222%22%3EComputer%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20ITDC01.IT.CONTOSO.COM%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20size%3D%222%22%3EDescription%3A%3C%2FFONT%3E%3CBR%20%2F%3E%3CSTRONG%3E%3CFONT%20size%3D%222%22%3EOne%20or%20more%20Azure%20AD%20Password%20Protection%20Proxy%20servers%20were%20found%20in%20the%20forest%20but%20this%20machine%20was%20unable%20to%20establish%20network%20connectivity%20to%20any%20of%20them.%3C%2FFONT%3E%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CFONT%20size%3D%222%22%3E%26nbsp%3B%3C%2FFONT%3E%3CFONT%20size%3D%222%22%3EThis%20operation%20will%20be%20run%20periodically%20and%20may%20succeed%20in%20future%20attempts%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%23ff0000%22%20size%3D%222%22%3E%26nbsp%3BThis%20may%20be%20an%20expected%20and%20benign%20condition%20depending%20on%20how%20the%20network%20environment%20is%20configured.%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20size%3D%222%22%3E%26nbsp%3B%3C%2FFONT%3E%3CFONT%20color%3D%22%23ff0000%22%3E%3CFONT%20size%3D%222%22%3EThis%20domain%20controller%20may%20be%20able%20to%20obtain%20updated%20password%20policies%20via%20sysvol%20replication%20if%20other%20domain%20controllers%20do%20have%20proxy%20connectivity.%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FDIV%3E%0A%3C%2FBLOCKQUOTE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%225%22%3E%3CSTRONG%3EHow%20can%20I%20deploy%20the%20Azure%20AD%20Password%20Protection%3F%3C%2FSTRONG%3E%3C%2FFONT%3E%3CFONT%20size%3D%224%22%3E%3CSTRONG%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3EThe%20following%20is%20a%20an%20example%20of%20a%20simple%20scenario%20to%20understand%20how-to%20deploy%20this%20feature%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20883px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F115685i173C981D25A63528%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22AADPP_schema.png%22%20title%3D%22AADPP_schema.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3E%3CFONT%20size%3D%224%22%20style%3D%22box-sizing%3A%20border-box%3B%22%3E%26nbsp%3B%3C%2FFONT%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3ESince%20your%20DCs%20never%20talk%20directly%20with%20Azure%20you%20need%20at%20least%20%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3E2%20%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%22%3EAzure%20AD%20Password%20Protection%20Proxy%20Server%3C%2FFONT%3E%20per%20Forest%3C%2FSTRONG%3E%20for%20high%20availability%20and%20should%20be%20placed%20in%20the%20Root%20Domain.%20%3C%2FFONT%3EThe%20%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%22%3EAzure%20AD%20Password%20Protection%20Proxy%3C%2FFONT%3E%3C%2FSTRONG%3E%3C%2FFONT%3E%20%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3EServers%3C%2FSTRONG%3E%20must%20be%20%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3EWindows%20Server%202012R2%20or%20above%3C%2FSTRONG%3E.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3CLI%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%22%3E%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%3B%22%3EDownload%20the%20%3CSTRONG%3E%3CA%20title%3D%22Azure%20AD%20Password%20Protection%20software%22%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D57071%2520%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20AD%20Password%20Protection%20software%3C%2FA%3E%3C%2FSTRONG%3E%20(Proxy%20and%20DC%20Agent)%3A%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%3B%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%22%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20685px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F113651i092CF723764A1ABA%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22AADPP_software.png%22%20title%3D%22AADPP_software.png%22%20%2F%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3C%2FFONT%3E%3C%2FP%3E%0A%26nbsp%3B%3C%2FLI%3E%0A%3CLI%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%22%3E%26nbsp%3BBe%20sure%20to%20have%20installed%20%3CA%20title%3D%22.NET%20Framework%204.7%22%20href%3D%22https%3A%2F%2Fdotnet.microsoft.com%2Fdownload%2Fdotnet-framework%3FWT.mc_id%3DITOPSTALK-blog-abartolo%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E.NET%20Framework%204.7%3C%2FA%3E%20at%20minimum%20on%20these%20Proxy%20Servers.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3CLI%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%22%3EAll%20the%20server%20DCs%20and%20Proxy%20Services%20require%20the%20%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F2999226%2Fupdate-for-universal-c-runtime-in-windows%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EUniversal%20C%20runtime%20for%20Windows%3C%2FA%3E.%3CBR%20%2F%3E%26nbsp%3B%3C%2FLI%3E%0A%3CLI%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%22%3EInstall%20the%20Proxy%20Service%20(%3CSTRONG%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EAzureADPasswordProtectionProxySetup%3C%2FFONT%3E.exe%3C%2FSTRONG%3E)%20on%20the%20two%20Servers%2C%20joined%20to%20the%20root%20domain%3A%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%200px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F113636i251C4AC0AAC04088%2Fimage-size%2Fsmall%3Fv%3D1.0%26amp%3Bpx%3D200%22%20width%3D%220%22%20height%3D%220%22%20alt%3D%22Install_Proxy_1.png%22%20title%3D%22Install_Proxy_1.png%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20265px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F113642i4379BCC2541C99D4%2Fimage-dimensions%2F265x167%3Fv%3D1.0%22%20width%3D%22265%22%20height%3D%22167%22%20alt%3D%22Install_Proxy_1.png%22%20title%3D%22Install_Proxy_1.png%22%20%2F%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20263px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F113637i4892339CB131849E%2Fimage-dimensions%2F263x166%3Fv%3D1.0%22%20width%3D%22263%22%20height%3D%22166%22%20alt%3D%22Install_Proxy_2.png%22%20title%3D%22Install_Proxy_2.png%22%20%2F%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20266px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F113638iA5CDFD6CB21392FB%2Fimage-dimensions%2F266x168%3Fv%3D1.0%22%20width%3D%22266%22%20height%3D%22168%22%20alt%3D%22Install_Proxy_3.png%22%20title%3D%22Install_Proxy_3.png%22%20%2F%3E%3C%2FSPAN%3E%3CBR%20%2F%3EYou%20can%20also%20complete%20this%20via%20%3CA%20title%3D%22Silent%20installation%20from%20the%20command%20line%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-password-ban-bad-on-premises-deploy%3FWT.mc_id%3DITOPSTALK-blog-abartolo%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESilent%20installation%20from%20the%20command%20line%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EWith%20the%20installation%20of%20the%20Proxy%20Service%20completed%2C%20you%20can%20open%20PowerShell%20and%20can%20see%20a%20new%20module%2C%20%3CSTRONG%3E%3CSPAN%20style%3D%22text-align%3A%20left%3B%20color%3A%20%23333333%3B%20text-transform%3A%20none%3B%20line-height%3A%201.7142%3B%20text-indent%3A%200px%3B%20letter-spacing%3A%20normal%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20text-decoration%3A%20none%3B%20word-spacing%3A%200px%3B%20display%3A%20inline%20!important%3B%20white-space%3A%20normal%3B%20cursor%3A%20text%3B%20orphans%3A%202%3B%20float%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20background-color%3A%20%23ffffff%3B%22%3EAzureADPasswordProtection%2C%20%3C%2FSPAN%3E%3C%2FSTRONG%3Einstalled.%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3E%3CPRE%3EPS%20C%3A%5C%26gt%3B%20Get-Command%20-Module%20AzureADPasswordProtection%0A%0ACommandType%20%20%20%20%20Name%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20ModuleName%0A-----------%20%20%20%20%20----%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20----------%0AFunction%20%20%20%20%20%20%20%20Get-AzureADPasswordProtectionSummaryReport%20%20%20%20%20%20%20%20%20AzureADPasswordProtection%0ACmdlet%20%20%20%20%20%20%20%20%20%20Get-AzureADPasswordProtectionDCAgent%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20AzureADPasswordProtection%0ACmdlet%20%20%20%20%20%20%20%20%20%20Get-AzureADPasswordProtectionProxy%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20AzureADPasswordProtection%0ACmdlet%20%20%20%20%20%20%20%20%20%20Get-AzureADPasswordProtectionProxyConfiguration%20%20%20%20AzureADPasswordProtection%0ACmdlet%20%20%20%20%20%20%20%20%20%20Register-AzureADPasswordProtectionForest%20%20%20%20%20%20%20%20%20%20%20AzureADPasswordProtection%0ACmdlet%20%20%20%20%20%20%20%20%20%20Register-AzureADPasswordProtectionProxy%20%20%20%20%20%20%20%20%20%20%20%20AzureADPasswordProtection%0ACmdlet%20%20%20%20%20%20%20%20%20%20Set-AzureADPasswordProtectionProxyConfiguration%20%20%20%20AzureADPasswordProtection%3C%2FPRE%3E%0A%26nbsp%3B%3CBR%20%2F%3EYou%20can%20also%20open%20the%20event%20log%20and%20can%20see%20new%20Event%20logs%20for%20the%20installed%20Service%3A%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F113881i7E80133CD3565208%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22AADPPP_EventLogs.png%22%20title%3D%22AADPPP_EventLogs.png%22%20%2F%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3CLI%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%22%3EAll%20the%20%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3EDCs%3C%2FSTRONG%3E%20must%20be%20at%20least%20%3CSTRONG%3EWindows%20Server%202012%20or%20above.%20%3C%2FSTRONG%3EYou%20now%20need%20to%20install%20the%20package%20%3CSTRONG%3E%22%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EAzureADPasswordProtectionDCAgentSetup%3C%2FFONT%3E.msi%22%3A%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20302px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F113656i957E3C2A5DDBEF77%2Fimage-dimensions%2F302x234%3Fv%3D1.0%22%20width%3D%22302%22%20height%3D%22234%22%20alt%3D%22Install_Agent_1.png%22%20title%3D%22Install_Agent_1.png%22%20%2F%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20300px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F113655i0E3FC87308C3ADD8%2Fimage-dimensions%2F300x234%3Fv%3D1.0%22%20width%3D%22300%22%20height%3D%22234%22%20alt%3D%22Install_Agent_2.png%22%20title%3D%22Install_Agent_2.png%22%20%2F%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20299px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F113654i5E62FB5B05D783C1%2Fimage-dimensions%2F299x143%3Fv%3D1.0%22%20width%3D%22299%22%20height%3D%22143%22%20alt%3D%22Install_Agent_3_Restart.png%22%20title%3D%22Install_Agent_3_Restart.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSTRONG%3E%3CBR%20%2F%3E%3C%2FSTRONG%3EAs%20you%20can%20see%20the%20DC%20Agents%20installation%20%3CU%3E%3CSTRONG%3Erequire%20the%20reboot%20of%20the%20DC%3C%2FSTRONG%3E%3C%2FU%3E%20and%20also%20in%20this%20case%20if%20you%20want%20you%20can%20use%20the%20%3CA%20title%3D%22Silent%20installation%20with%20the%20command%20line%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-password-ban-bad-on-premises-deploy%3FWT.mc_id%3DITOPSTALK-blog-abartolo%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESilent%20installation%20with%20the%20command%20line%3C%2FA%3E.%20But%20please%20remember%20to%20put%20the%20%3CSTRONG%3E%2Fnorestart%20%3C%2FSTRONG%3Eparameter%20to%20avoid%20the%20immediate%20restart%20of%20the%20DC.%3CBR%20%2F%3E%3CBR%20%2F%3EAfter%20the%20installation%2C%20on%20the%20DC%20you%20will%20see%20a%20new%20Eventlog%20for%20the%20agent%3A%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20740px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F113893iF1B5B3CC2B92062C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22AADPPDCA_Eventlog.png%22%20title%3D%22AADPPDCA_Eventlog.png%22%20%2F%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3CLI%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%22%3EBy%20default%20the%26nbsp%3B%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20bold%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%22%3EAzure%20AD%20Password%20Protection%20DC%20Agent%3C%2FFONT%3E%3C%2FSTRONG%3E%20use%20the%20%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3ETCP%20port%20135%20and%20the%20dynamic%20ports%20range%3C%2FSTRONG%3E%20to%20connect%20to%20the%20%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%22%3EAzure%20AD%20Password%20Protection%20Proxy%3C%2FFONT%3E%3C%2FSTRONG%3E%3C%2FFONT%3E%20%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3EServers%2C%3C%2FSTRONG%3E%20%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%22%3Eso%20this%20ports%20must%20be%20open%20at%20the%20network%20level%2C%20but%20if%20you%20prefer%2C%20you%20can%20configure%20the%20proxy%20Service%20to%20Listen%20on%20a%20specific%20ports.%3CBR%20%2F%3E%3C%2FFONT%3E%3C%2FFONT%3E%0A%3CPRE%3ESet-AzureADPasswordProtectionProxyConfiguration%20%E2%80%93StaticPort%20%26lt%3Bportnumber%26gt%3B%3C%2FPRE%3E%0A%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%22%3E%3CU%3EThis%20command%20must%20be%20executed%20on%20each%20proxy%20Server%2C%20and%20require%20the%20restart%20of%20the%20Proxy%20Service.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FU%3E%3C%2FFONT%3E%3CU%3E%3C%2FU%3E%3CU%3E%3C%2FU%3E%3C%2FLI%3E%0A%3CLI%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%22%3EYou%20need%20to%20register%20on%20your%20Azure%20AD%20Tenant%20the%20two%20Proxy%20Server%20with%20a%20simple%20PowerShell%20cmdlet%20on%20each%20proxy%3A%3CBR%20%2F%3E%0A%3CPRE%3ERegister-AzureADPasswordProtectionProxy%20-AccountUpn%20'admin%40%26lt%3Byourtenant%26gt%3B.onmicrosoft.com'%3C%2FPRE%3E%0AThis%20registration%20of%20the%20Proxy%20Service%20is%20necessary%20only%20one%20time%2C%20for%20the%20first%20authentication%20on%20the%20tenant.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3CLI%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%22%3EYou%20need%20to%20register%20the%20Forest%20on%20Azure%20AD%20so%20this%20command%20must%20be%20lunched%20from%20only%20one%20of%20the%20Proxy%20Servers%3A%3CBR%20%2F%3E%0A%3CPRE%3E%23%20IF%20YOU%20ARE%20CONNECTED%20TO%20THE%20PROXY%20SERVER%20WITH%20ADMIN%20CREDENTIAL%0A%23%20OF%20THE%20ROOT%20DOMAIN%2C%20THEN%20YOU%20CAN%20USE%20THIS%20COMMAND%3A%20%0ARegister-AzureADPasswordProtectionForest%20-AccountUpn%20'admin%40%26lt%3Byourtenant%26gt%3B.onmicrosoft.com'%20%0A%0A%23%20OTHERWISE%20YOU%20CAN%20SPECIFY%20THE%20ROOT%20DOMAIN%20CREDENTIALS%3A%20%0ARegister-AzureADPasswordProtectionForest%20-AccountUpn%20'admin%40%26lt%3Byourtenant%26gt%3B.onmicrosoft.com'%20-ForestCredential%20%24(Get-Credential)%3C%2FPRE%3E%0AThis%20command%20require%20the%20a%20Global%20Admin%20of%20the%20tenant%20and%20a%20Domain%20Admins%20of%20the%20Root%20Domain.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3CLI%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%22%3EYou%20can%20now%20connect%20to%20the%20%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fportal.azure.com%3C%2FA%3E%20and%20configure%20the%20Azure%20AD%20Password%20Protection%3A%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F115681i26FBA24B153A6199%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Azure_AD_PP_Portal_Config.png%22%20title%3D%22Azure_AD_PP_Portal_Config.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSTRONG%3ENOTE%3A%20%3C%2FSTRONG%3Ekeep%20in%20mind%20that%20when%20you%20write%20in%20the%20custom%20banned%20password%20the%20word%20%22%3CSTRONG%3Efabrikam%3C%2FSTRONG%3E%22%2C%20you%20are%20adding%20more%20than%20that%2C%20also%20the%20%3CSTRONG%3E%22f%40br1k%40m%22%3C%2FSTRONG%3E%20is%20banned!%20So%20we%20made%20also%20common%20char%20substitution.%20The%20Custom%20password%20field%2C%20can%20contain%20up%20to%201000%20words%20case-insensitive.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%225%22%3E%3CSTRONG%3ENice%20to%20Know%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EThe%20Proxy%20Service%20of%20Azure%20AD%20Password%20Protection%20can%20work%20with%20%3CSTRONG%3EHTTPS%20proxy%3C%2FSTRONG%3E%20servers%20in%20your%20environment%2C%20but%20%3CU%3E%3CSTRONG%3Eactually%3C%2FSTRONG%3E%20t%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3Ehe%20%3CSTRONG%3EAzure%20AD%20Password%20Protection%20proxy%20service%3C%2FSTRONG%3E%20doesn't%20support%20the%20use%20of%20specific%20credentials%20for%20connecting%20to%20an%20HTTPS%20proxy.%3C%2FFONT%3E%3C%2FU%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3CLI%3EBy%20default%20the%20Azure%20AD%20Password%20Protection%20is%20set%20to%20%22%3CSTRONG%3EAudit%20Mode%3C%2FSTRONG%3E%22%20on%20the%20Tenant%20so%2C%20if%20you%20deploy%20a%20proxy%20service%20and%20install%20one%20agent%20on%20a%20DC%20(only%20for%20testing%20purpose)%2C%20if%20the%20password%20match%20the%20%3CSTRONG%3EMicrosoft%20Global%20Banned%20Password%20list%3C%2FSTRONG%3E%2C%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%20the%20DC%20Agent%20will%20generate%20only%20events%20like%20this%20one%3C%2FSPAN%3E%3A%3CBR%20%2F%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CBR%20%2F%3E%3C%2FFONT%3E%0A%3CBLOCKQUOTE%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CFONT%20color%3D%22%23000000%22%20size%3D%222%22%3E%3CSTRONG%3ELog%20Name%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Microsoft-AzureADPasswordProtection-DCAgent%2FAdmin%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3C%2FFONT%3E%3CFONT%20size%3D%222%22%20style%3D%22background-color%3A%20%23ffffff%3B%22%3ESource%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Microsoft-AzureADPasswordProtection-DCAgent%3CBR%20%2F%3E%3CSTRONG%3EEvent%20ID%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%2030009%3C%2FSTRONG%3E%3CBR%20%2F%3ETask%20Category%3A%20None%3CBR%20%2F%3ELevel%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Information%3CBR%20%2F%3EKeywords%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3CBR%20%2F%3EUser%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20SYSTEM%3CBR%20%2F%3EComputer%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20ITDC01.IT.CONTOSO.COM%3CBR%20%2F%3EDescription%3A%3CBR%20%2F%3E%3CSTRONG%3E%3CFONT%20color%3D%22%23ff0000%22%3EThe%20reset%20password%3C%2FFONT%3E%3C%2FSTRONG%3E%20for%20the%20specified%20user%20%3CFONT%20color%3D%22%23000000%22%3E%3CSTRONG%3Ewould%20normally%20have%20been%20rejected%20because%20it%20matches%20at%20least%20one%20of%20the%20tokens%20present%20in%20the%3C%2FSTRONG%3E%3C%2FFONT%3E%20%3CSTRONG%3E%3CFONT%20color%3D%22%23ff0000%22%3EMicrosoft%20global%20banned%20password%20list%3C%2FFONT%3E%3C%2FSTRONG%3E%20of%20the%20current%20Azure%20password%20policy.%20%3CSTRONG%3E%3CFONT%20color%3D%22%23000000%22%3EThe%20current%20Azure%20password%20policy%20is%20configured%20for%20%3CFONT%20color%3D%22%23ff0000%22%3Eaudit-only%20mode%3C%2FFONT%3E%20so%20the%20password%20was%20accepted.%3C%2FFONT%3E%3C%2FSTRONG%3E%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3E%26nbsp%3BUserName%3A%20ITOPSTALK%3CBR%20%2F%3E%26nbsp%3BFullName%3A%20ITOPSTALK%3C%2FFONT%3E%3C%2FBLOCKQUOTE%3E%0A%3CDIV%3EOr%20like%20this%2C%20if%20the%20password%20match%20your%20%3CSTRONG%3Ecustom%20password%20lists%3C%2FSTRONG%3E%20on%20the%20tenant%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FDIV%3E%0A%3CBLOCKQUOTE%3E%3CFONT%20size%3D%222%22%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2013.33px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CFONT%20color%3D%22%23000000%22%20style%3D%22box-sizing%3A%20border-box%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3ELog%20Name%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Microsoft-AzureADPasswordProtection-DCAgent%2FAdmin%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20style%3D%22box-sizing%3A%20border-box%3B%22%20%2F%3ESource%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Microsoft-AzureADPasswordProtection-DCAgent%3CBR%20style%3D%22box-sizing%3A%20border-box%3B%22%20%2F%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3E%3CFONT%20color%3D%22%23000000%22%20style%3D%22box-sizing%3A%20border-box%3B%22%3EEvent%20ID%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%2030007%3C%2FFONT%3E%3C%2FSTRONG%3E%3CBR%20style%3D%22box-sizing%3A%20border-box%3B%22%20%2F%3ETask%20Category%3A%20None%3CBR%20style%3D%22box-sizing%3A%20border-box%3B%22%20%2F%3ELevel%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Information%3CBR%20style%3D%22box-sizing%3A%20border-box%3B%22%20%2F%3EKeywords%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3CBR%20style%3D%22box-sizing%3A%20border-box%3B%22%20%2F%3EUser%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20SYSTEM%3CBR%20style%3D%22box-sizing%3A%20border-box%3B%22%20%2F%3EComputer%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20ITDC01.IT.CONTOSO.COM%3CBR%20style%3D%22box-sizing%3A%20border-box%3B%22%20%2F%3EDescription%3A%3CBR%20style%3D%22box-sizing%3A%20border-box%3B%22%20%2F%3E%3CFONT%20color%3D%22%23ff0000%22%20style%3D%22box-sizing%3A%20border-box%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3EThe%20reset%20password%3C%2FSTRONG%3E%3C%2FFONT%3E%20for%20the%20specified%20user%20%3CFONT%20color%3D%22%23000000%22%20style%3D%22box-sizing%3A%20border-box%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3Ewould%20normally%20have%20been%20rejected%20because%20it%20matches%20at%20least%20one%20of%20the%20tokens%20present%20in%20the%3C%2FSTRONG%3E%3C%2FFONT%3E%20%3CFONT%20color%3D%22%23ff0000%22%20style%3D%22box-sizing%3A%20border-box%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3Eper-tenant%20banned%20password%20list%20of%20the%20current%20Azure%20password%20policy%3C%2FSTRONG%3E%3C%2FFONT%3E.%20%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3EThe%20current%20Azure%20password%20policy%20is%20configured%20for%20%3CFONT%20color%3D%22%23ff0000%22%20style%3D%22box-sizing%3A%20border-box%3B%22%3Eaudit-only%3C%2FFONT%3E%20%3CFONT%20color%3D%22%23000000%22%20style%3D%22box-sizing%3A%20border-box%3B%22%3Emode%20so%20the%20password%20was%20accepted.%3C%2FFONT%3E%3C%2FSTRONG%3E%3CBR%20style%3D%22box-sizing%3A%20border-box%3B%22%20%2F%3E%26nbsp%3B%3CBR%20style%3D%22box-sizing%3A%20border-box%3B%22%20%2F%3E%26nbsp%3BUserName%3A%20ITOPSTALK%3CBR%20style%3D%22box-sizing%3A%20border-box%3B%22%20%2F%3E%26nbsp%3BFullName%3A%20ITOPSTALK%3C%2FFONT%3E%3C%2FBLOCKQUOTE%3E%0A%3CFONT%20size%3D%222%22%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2013.33px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CFONT%20size%3D%223%22%3ENo%20Password%20will%20be%20blocked%20until%20you%20will%20change%20the%20configuration%20on%20the%20Tenant%20from%20%22%3CSTRONG%3EAudit%20Mode%3C%2FSTRONG%3E%22%20to%20%22%3CSTRONG%3EEnforce%3C%2FSTRONG%3E%22.%3CBR%20%2F%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3EIf%20your%20DCs%20are%20all%202012%20or%20above%20but%20you%20are%20using%20FRS%20for%20replicating%20the%20SYSVOL%2C%20upgrade%20first%20to%20DFSR%20to%20use%20Azure%20AD%20Password%20Protection%2C%20because%20FRS%20is%20deprecated.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3CLI%3EHave%20you%20already%20two%20AD%20connect%20servers%20in%20your%20Environment%3F%20Yes%3F%20So%20you%20can%20install%20the%20proxy%20Service%20on%20this%202%20Servers%20if%20you%20want%2C%20but%20start%20always%20from%20the%20one%20in%20staging%20mode%20%3B).%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3CLI%3EAzure%20AD%20Password%20Protection%20for%20Active%20Directory%20require%20the%20Azure%20AD%20Premium%20licences%20P1%20or%20P2.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3CLI%3EAzure%20AD%20Password%20Protection%20is%20not%20a%20real-time%20policy%20application%20engine%2C%20you%20can%20have%20a%20delay%20in%20the%20application%20of%20the%20new%20Azure%20Password%20Policy%20in%20your%20on-premises%20AD%20environment.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3CLI%3EIf%20you%20want%20to%20force%20a%20DC%20to%20download%20a%20fresh%20copy%20of%20the%20Azure%20Password%20Policy%20from%20the%20Proxy%20Service%2C%20you%20can%20restart%20the%20DC%20Agent.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%23000000%22%20size%3D%225%22%3E%3CSTRONG%3EScenarios%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3ESome%20Customers%20think%20that%20because%20Azure%20AD%20Password%20protection%20On-Premises%2C%20work%20with%20DC%20Agents%20they%20can%20deploy%20Agents%20only%20on%20a%20single%20AD%20Site%20to%20protect%20for%20example%20a%20Branch%20Office%2C%20but%20this%20is%20a%20partial%20deployment%20and%20it%20is%20not%20recommended.%20In%20this%20scenario%20a%20customer%20want%20to%20deploy%20DC%20Agents%20only%20on%20the%20%3CSTRONG%3ENY-SITE%3C%2FSTRONG%3E%2C%20g%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3Eraphics%20always%20help%20to%20understand%20better%3A%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20956px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F115686iF28C1667E222937F%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22scenario1.png%22%20title%3D%22scenario1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EAs%20you%20can%20see%20one%20DC%20in%20the%20%3CSTRONG%3EIT.CONTOSO.DOMAIN%3C%2FSTRONG%3E%20don't%20have%20the%20DC%20Agent%2C%20because%20the%20change%20password%20can%20happens%20on%20any%20DC%2C%20this%20configuration%20%3CU%3Eis%20not%20secure%20and%20not%20recommended%3C%2FU%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20want%20to%20implement%20a%20more%20secure%20scenario%2C%20%3CU%3Eyou%20need%20to%20install%20the%20DC%20Agent%20on%20each%20DCs%20of%20the%20forest%2C%3C%2FU%3E%20like%20in%20this%20example%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20915px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F115687i50BA4DEA87217ACB%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22scenario2.png%22%20title%3D%22scenario2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20you%20can%20see%20here%2C%20we%20have%20secured%20all%20the%20entire%20forest%20by%20installing%20the%20DC%20agent%20on%20each%20DC%20in%20every%20domains.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EIf%20you%20want%20to%20apply%20the%20Azure%20AD%20Password%20Protection%20only%20to%20one%20domain%20in%20your%20forest%2C%20you%20need%20in%20any%20case%20to%20deploy%20the%20Proxy%20Services%20for%20the%20Forest%20and%20then%20deploy%20the%20DC%20Agent%20%3CSTRONG%3Eonly%20on%20all%20the%20DCs%20in%20that%20domain%3C%2FSTRONG%3E%20to%20secure%20it%2C%20in%20this%20example%20%3CSTRONG%3EHR.CONTOSO.COM%3C%2FSTRONG%3E.%20(%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EYou%20should%20not%20think%20to%20deploy%20the%20DC%20agent%20only%20on%20the%20PDC%2C%20for%20example)%3C%2FSPAN%3E%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20883px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F115688iC87986088FB101F5%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22scenario3.png%22%20title%3D%22scenario3.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CBR%20%2F%3ELast%20but%20not%20least%2C%20rem%3C%2FSPAN%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3Eember%20to%20alert%20your%20users%20about%20the%20Policy%20password%20change%20before%20switch%20the%20configuration%20in%20the%20Tenant%20from%20%22%3CSTRONG%3EAudit%20mode%3C%2FSTRONG%3E%22%20to%20%22%3CSTRONG%3EEnforce%3C%2FSTRONG%3E%22.%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSPAN%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20display%3A%20inline%3B%20float%3A%20none%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EI%20hope%20that%20all%20this%20info%2C%20will%20help%20you%20to%20deploy%20this%20great%20feature%20in%20your%20Environments.%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%225%22%3E%3CFONT%20color%3D%22%23000000%22%3E%3CSTRONG%3EReference%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3EThe%20official%20reference%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-password-ban-bad-on-premises%23design-principles%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EEnforce%20Azure%20AD%20password%20protection%20for%20Windows%20Server%20Active%20Directory%3C%2FFONT%3E%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-password-ban-bad-on-premises-troubleshoot%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EAzure%20AD%20Password%20Protection%20troubleshooting%3C%2FFONT%3E%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-password-ban-bad-on-premises-monitor%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EAzure%20AD%20Password%20Protection%20monitoring%20and%20logging%3C%2FFONT%3E%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-563342%22%20slang%3D%22en-US%22%3E%3CP%3EToo%20many%20users%20have%20bad%20habits%20when%20creating%20and%20using%20passwords.%26nbsp%3B%20Daniele%20details%20steps%20in%20utilizing%20Azure%20AD%20Password%20Protection%26nbsp%3Bdesign%20principles%20to%20automate%20enforcement%20of%20password%20rules.%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20998px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F114318i3264A9781725AF0E%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22AADPP.jpg%22%20title%3D%22AADPP.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-563342%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDaniele%20De%20Angelis%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-677072%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-677072%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F356010%22%20target%3D%22_blank%22%3E%403dinfo%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3Ewhat%20I%20mean%20in%20this%20part%3A%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%22It%20is%20not%20necessary%20that%20all%20the%20DCs%20are%20able%20to%20comunicate%20with%20the%20Azure%20AD%20Password%20Protection%20Proxy%20Server%20if%20you%20have%20a%20very%20complex%20Active%20Directory%20environments.%20You%20can%20configure%20%3CSTRONG%3Ea%20minimum%20of%20one%20DC%20per%20domain%3C%2FSTRONG%3E%20and%20the%20other%20DCs%20will%20take%20the%20new%20policy%20from%20the%20Sysvol%20replication.%20%3C%2FFONT%3E%22%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%3B%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%22%3E%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3EIs%20that%20at%20least%20one%20DC%20per%20domain%20%3CU%3Eneed%20to%20be%20able%20to%20comunicate%3C%2FU%3E%20with%20the%20%3CSTRONG%3EAzure%20AD%20Password%20Protection%20Proxy%20Service%26nbsp%3B%3C%2FSTRONG%3Eto%20take%20the%20new%20Password%20policy%2C%20but%20for%20sure%20you%20need%20to%20install%20the%20DC%20Agent%20on%20all%20DC%20in%20the%20domain%20if%20you%20want%20to%20secure%20the%20domain.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20have%20change%20a%20little%20the%20article%20based%20on%20your%20question%20%3A)%3C%2Fimg%3E%3C%2FP%3E%0A%3CP%3E%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EIt%20is%20not%20necessary%20that%20all%20the%20DCs%20are%20able%20to%20comunicate%20with%20the%20%3C%2FSPAN%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%22%3EAzure%20AD%20Password%20Protection%20Proxy%20Server%2C%20%3C%2FFONT%3E%3C%2FSTRONG%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%22%3Ei%3C%2FFONT%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%22%3E%3CSPAN%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20display%3A%20inline%3B%20float%3A%20none%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3Ef%20you%20have%20a%20very%20complex%20Active%20Directory%20environments%2C%20y%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FSTRONG%3Eou%20can%20configure%20a%20minimum%20of%20%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3Eone%20DC%20per%20domain%3C%2FSTRONG%3E%20to%20be%20able%20to%20connect%20to%20the%20%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3EAAD%20Password%20Protection%20Proxy%20Servers%2C%20%3C%2FSTRONG%3Eand%20the%20other%20DCs%20will%20take%20the%20new%20policy%20from%20the%20Sysvol%20replication.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EMany%20thanks%20for%20the%20question%203DInfo%20%3B)%3C%2Fimg%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-678717%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-678717%22%20slang%3D%22en-US%22%3E%3CP%3Eappreciate%20the%20write%20up.%20I%20was%20wondering%20if%20you%20could%20help%20understand%20an%20error%20i'm%20receiving...%20I%20have%20a%20single%20proxy%20service%20in%20a%20hybrid%20environment%20and%20installed%20the%20dc%20agent%20on%20a%20single%20dc...%20I%20got%20confused%20on%20the%20writing%20of%20the%20proxy.exe.config%20file...%20we%20don't%20have%20a%20http%20proxy%20in%20our%20environment..so%20I'm%20guessing%20that%20should%20be%20the%20proxy%20service%20server%20name.%20%26nbsp%3Bi've%20restarted%20the%20proxy%20config%20service%20and%20dc%20agent%20service..%20still%20seeing%20this%20error%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22One%20or%20more%20Azure%20AD%20Password%20Protection%20Proxy%20servers%20were%20found%20in%20the%20forest%20but%20this%20machine%20was%20unable%20to%20establish%20network%20connectivity%20to%20any%20of%20them...%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ei%20see%20the%20inbound%20firewall%20rule%20for%20port%20135...and%20i'm%20able%20to%20telnet%20to%20the%20port%20on%20proxy%20service%20server%20from%20dc%20agent%20server...%20is%20there%20some%20other%20communication%20that%20i'm%20not%20seeing%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eappreciate%20the%20time%20and%20effort.%20thanks.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-679562%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-679562%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F356845%22%20target%3D%22_blank%22%3E%40gqcars%3C%2FA%3E%2C%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESo%20if%20I%20understand%20well%20you%20%3CU%3Edon't%3C%2FU%3E%20have%20an%20%3CSTRONG%3EHTTP%20proxy%20Server%3C%2FSTRONG%3E%20in%20your%20environment%20%2C%20so%20you%20%3CU%3Edon't%3C%2FU%3E%20need%20to%20change%20anything%20inside%20of%20the%26nbsp%3B%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CSTRONG%3EAzureADPasswordProtectionProxy.exe.config%3C%2FSTRONG%3E%20file%2C%20you%20need%20to%20modify%20this%20file%20%3CU%3Eonly%3C%2FU%3E%20if%20you%20want%20that%20your%20%3CSTRONG%3EAzure%20Ad%20Password%20Protection%20Proxy%20Service%3C%2FSTRONG%3E%20is%20able%20to%20go%20to%20the%20internet%20and%20reach%20Azure%20via%20an%20%3CSTRONG%3EHTTP%20Proxy%20Server%3C%2FSTRONG%3E%20%3B).%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20event%20that%20you%20receive%2C%20came%20from%20the%20DC%20Agent%3A%3CBR%20%2F%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3C%2FSPAN%3E%3C%2FP%3E%0A%3CDIV%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CSTRONG%3EOne%20or%20more%20Azure%20AD%20Password%20Protection%20Proxy%20servers%20were%20found%20in%20the%20forest%20but%20this%20machine%20was%20unable%20to%20establish%20network%20connectivity%20to%20any%20of%20them.%3C%2FSTRONG%3E%3CBR%20%2F%3E%3C%2FFONT%3E%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EThis%20is%20due%20to%20a%20network%20connectivity%20issue%20from%20the%20%3CSTRONG%3EDC%20Agent%3C%2FSTRONG%3E%20to%20the%20%3CSTRONG%3EAzure%20AD%20Password%20Protection%20Proxy%20Service.%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3EOn%20your%20Proxy%20server%20you%20should%20be%20able%20to%20view%20this%20to%20inbound%20Windows%20Firewall%20rules%3A%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F117548i07338C9B6B8A764D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Firewall_roules_AADPPPS.jpg%22%20title%3D%22Firewall_roules_AADPPPS.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20Calibri%3B%22%3E%3A%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22color%3A%20%23333333%3B%20background%3A%20white%3B%22%3EThis%20rules%20are%20automatically%20created%20by%20the%20installation%20of%20the%20Proxy%20Service%2C%20o%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20%23333333%3B%20background%3A%20white%3B%22%3Ene%20is%20for%20the%20%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-weight%3A%20bold%3B%20color%3A%20%23333333%3B%20background%3A%20white%3B%22%3EEndpoint%20Mapper%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20%23333333%3B%20background%3A%20white%3B%22%3E%20on%20port%20%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-weight%3A%20bold%3B%20color%3A%20%23333333%3B%20background%3A%20white%3B%22%3E135%20TCP%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20%23333333%3B%20background%3A%20white%3B%22%3E%2C%20and%20the%20other%20is%20for%20the%20%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F929851%2Fthe-default-dynamic-port-range-for-tcp-ip-has-changed-in-windows-vista%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20style%3D%22font-weight%3A%20bold%3B%20background%3A%20white%3B%22%3EDynamic%20Port%20Range%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20style%3D%22color%3A%20%23333333%3B%20background%3A%20white%3B%22%3E%20by%20default%20%3CSTRONG%3Efrom%26nbsp%3B%3C%2FSTRONG%3E%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20style%3D%22background%3A%20white%3B%20color%3A%20%23333333%3B%22%3E49152%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20%23333333%3B%20background%3A%20white%3B%22%3E%20to%20%3C%2FSPAN%3E%3CSPAN%20style%3D%22background%3A%20white%3B%20color%3A%20%23333333%3B%22%3E65535%20TCP%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20style%3D%22color%3A%20%23333333%3B%20background%3A%20white%3B%22%3E.%20%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20%23333333%3B%22%3EIf%20this%20two%20rules%20are%20enabled%20on%20the%20Windows%20Firewall%20you%20need%20to%20check%20if%20there%20is%20something%20else%20that%20act%20as%20a%20firewall%20(Example%3A%20firewall%20appliance%20on%20the%20network%2C%20or%20may%20be%20the%20Antivirus%20on%20the%20DC%20or%20on%20the%20Proxy).%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22color%3A%20%23333333%3B%22%3EI%20hope%20to%20help%20you%20%3B)%3C%2Fimg%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3ECiao%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-962290%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-962290%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F170496%22%20target%3D%22_blank%22%3E%40Daniele%20De%20Angelis%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20would%20like%20a%20clarification%20regarding%20the%20number%207%20bullet%20point%20in%20the%20Nice%20to%20Know%20section%20regarding%20the%3A%20%22If%20you%20want%20to%20force%20a%20DC%20to%20download%20a%20fresh%20copy%20of%20the%20Azure%20Password%20Policy%20from%20the%20Proxy%20Service%2C%20you%20can%20restart%20the%20DC%20Agent.%22%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIs%20there%20a%20fixed%20amount%20of%20time%20that%20the%20Azure%20AD%20Password%20Protection%20DC%20agent%20periodically%20tries%20to%20download%20a%20new%20copy%20of%20the%20Azure%20Password%20Policy%3F%20(e.g.%20every%2015%20minutes%20or%2030%20minutes)%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThank%20you%2C%3C%2FP%3E%0A%3CP%3EGeorge%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-962497%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-962497%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F210335%22%20target%3D%22_blank%22%3E%40George%20Smyrlis%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYes%2C%20every%201h%2C%20you%20can%20find%20this%20info%20in%20the%20official%20docs%20also%3A%3CBR%20%2F%3E%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23171717%3B%20font-family%3A%20Segoe%20UI%2CSegoeUI%2CSegoe%20WP%2CHelvetica%20Neue%2CHelvetica%2CTahoma%2CArial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20overflow-wrap%3A%20break-word%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSTRONG%3EThe%20DC%20Agent%20service%20always%20requests%20a%20new%20policy%20at%20service%20startup%3C%2FSTRONG%3E.%20After%20the%20DC%20Agent%20service%20is%20started%2C%20%3CSTRONG%3Eit%20checks%20the%20age%20of%20the%20current%20locally%20available%20policy%20hourly%3C%2FSTRONG%3E.%20If%20the%20policy%20is%20older%20than%20one%20hour%2C%20the%20DC%20Agent%20requests%20a%20new%20policy%20from%20Azure%20AD%20via%20the%20proxy%20service%2C%20as%20described%20previously.%20%3CSTRONG%3EIf%20the%20current%20policy%20isn't%20older%20than%20one%20hour%2C%20the%20DC%20Agent%20continues%20to%20use%20that%20policy%3C%2FSTRONG%3E.%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-password-ban-bad-on-premises%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-password-ban-bad-on-premises%3C%2FFONT%3E%3C%2FA%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23171717%3B%20font-family%3A%20Segoe%20UI%2CSegoeUI%2CSegoe%20WP%2CHelvetica%20Neue%2CHelvetica%2CTahoma%2CArial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20overflow-wrap%3A%20break-word%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3C%2FSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23171717%3B%20font-family%3A%20Segoe%20UI%2CSegoeUI%2CSegoe%20WP%2CHelvetica%20Neue%2CHelvetica%2CTahoma%2CArial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20overflow-wrap%3A%20break-word%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3ECiao%20%3B)%3C%2Fimg%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-964964%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-964964%22%20slang%3D%22en-US%22%3E%3CP%3Egood%20question%26nbsp%3BGeorge%20Smyrlis.%26nbsp%3B%3CBR%20%2F%3EI%20have%20an%20other%20question%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F170496%22%20target%3D%22_blank%22%3E%40Daniele%20De%20Angelis%3C%2FA%3E%26nbsp%3B%20%26nbsp%3B%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3EMicrosoft%20recommends%202%20Proxy%20servers%20for%20uptime%20concerns%2C%20but%20does%20the%20DC%20ever%20looses%20it's%20cache%20of%20the%20policy%20from%20the%20proxy%20server%3F%3CBR%20%2F%3Efor%20exsample%20if%20the%20DC%20restarts%3F%3CBR%20%2F%3EDoes%20it%20ever%20become%20a%20problem%20to%20reset%20a%20password%2C%20if%20the%20proxy%20service%20is%20unavailable%20for%20days%20maybe%3F%3CBR%20%2F%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOr%20is%20the%20only%20concern%20if%20we%20want%20the%20latest%20banlist%20from%20Microsoft%20Global%20banlist.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-965286%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-965286%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F151618%22%20target%3D%22_blank%22%3E%40Micki%20Wulffeld%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3EI'll%20try%20to%20respond%20to%20your%20questions%20%3A%3C%2FP%3E%0A%3CP%3E1)%20The%20DC%20don't%20loose%20the%20local%20copy%20of%20the%20Microsoft%20Global%20and%20Custom%20banned%20password%20list%20if%20you%20reboot%20it%20for%20example.%3C%2FP%3E%0A%3CP%3E2)%20If%20you%20have%20two%20proxy%20service%20and%20they%20are%20offline%20for%20days%2C%20the%20DC%20Agent%20on%20the%20DC%20%3CSTRONG%3Ewill%20continue%20to%20use%20the%20old%20version%3C%2FSTRONG%3E%20of%20Global%20and%20Custom%20banned%20password%20list%20%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%20(even%20if%20you%20reboot%20it%20in%20this%20time%20for%20example%20for%20patching)%3C%2FSPAN%3E%2C%20but%20for%20sure%20if%20you%20add%20new%20custom%20password%20in%20the%20Azure%20portal%20this%20will%20not%20be%20applied%20on-premises%20until%20your%20proxy%20services%20will%20be%20back%20online.%3CBR%20%2F%3E3)%20Event%20if%20the%20proxy%20services%20are%20offline%2C%20the%20DC%20will%20continue%20to%20reset%20password%20using%20the%20local%20copy%20of%20Global%20and%20Custom%20banned%20password%20lists.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMany%20thanks%20for%20asking%20%3B)%3C%2Fimg%3E%3C%2FP%3E%0A%3CP%3ECiao%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1691179%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1691179%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F170496%22%20target%3D%22_blank%22%3E%40Daniele%20De%20Angelis%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20know%20I'm%20late%20in%20getting%20to%20this%20article.%20It%20would%20be%20really%20useful%20in%20some%20small%20office%20deployments%20I%20have%20seen.%20I%20have%20two%20questions.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20Does%20the%20proxy%20need%20to%20be%20on%20a%20separate%20machine%20or%20could%20it%20be%20installed%20on%20the%20DC.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.%20In%20another%20environment%2C%20they%20have%20a%20single%20Azure%20AD%20Connect%20machine%20(and%20two%20DC's).%20Will%20this%20work%20if%20I%20were%20to%20install%20the%20proxy%20on%20the%20one%20AADC%20computer%20(understanding%20that%20there%20is%20no%20resiliency%20in%20such%20a%20configuration).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20thanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1700136%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1700136%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F229696%22%20target%3D%22_blank%22%3E%40A-XR219%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eit's%20a%20pleasure%20to%20answer%20questions%20%3B)%3C%2Fimg%3E%20%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E1)%20You%20can%20run%20the%20Azure%20AD%20Password%20Protection%20proxy%20service%20on%20a%20domain%20controller%20for%20testing%2C%20but%20that%20domain%20controller%20then%20requires%20internet%20connectivity.%20%3CSTRONG%3EThis%20connectivity%20can%20be%20a%20security%20concern.%20We%20recommend%20this%20configuration%20for%20testing%20only%2C%20so%20not%20in%20Production%20Environment.%3CBR%20%2F%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EReference%3CSTRONG%3E%3A%26nbsp%3B%3C%2FSTRONG%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-password-ban-bad-on-premises-deploy%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-password-ban-bad-on-premises-deploy%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E2)%20Yes%20It%20works%2C%20even%20if%20you%20have%20only%20one%20%3CSTRONG%3EAzure%20AD%20Password%20Protection%20Proxy%3C%2FSTRONG%3E%2C%20and%20if%20this%20proxy%20become%20unavailable%20the%20DC%20agent%20continue%20to%20use%20the%20local%20cached%20copy%2C%20but%20fore%20sure%20you%20are%20not%20able%20to%20receive%20the%20most%20recent%20updated%20Password%20Policy%3A%3CBR%20%2F%3E%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3CBR%20%2F%3E%3CSPAN%3EThe%20design%20of%20the%20Azure%20AD%20Password%20Protection%20DC%20agent%20software%20mitigates%20the%20usual%20problems%20that%20are%20associated%20with%20high%20availability.%20The%20Azure%20AD%20Password%20Protection%20DC%20agent%20maintains%20a%20local%20cache%20of%20the%20most%20recently%20downloaded%20password%20policy.%20Even%20if%20all%20registered%20proxy%20servers%20become%20unavailable%2C%20the%20Azure%20AD%20Password%20Protection%20DC%20agents%20continue%20to%20enforce%20their%20cached%20password%20policy.%3CBR%20%2F%3E%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3BReference%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-password-ban-bad-on-premises-deploy%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-password-ban-bad-on-premises-deploy%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThank%20you%20for%20your%20questions%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F229696%22%20target%3D%22_blank%22%3E%40A-XR219%3C%2FA%3E%26nbsp%3B%20%3B)%3C%2Fimg%3E%3C%2FP%3E%0A%3CP%3EDaniele%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1703050%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1703050%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F170496%22%20target%3D%22_blank%22%3E%40Daniele%20De%20Angelis%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESorry...%20another%20question.%20I%20can%20see%20how%20and%20where%20the%20events%20are%20logged%20on%20the%20DC's%2C%20and%20there%20is%20good%20documentation%20for%20feeding%20these%20logs%20back%20into%20something%20like%20Azure%20Log%20Analytics.%20Is%20there%20a%20way%20to%20feed%20the%20logs%20from%20AAD%20which%20relate%20to%20AAD%20Password%20Protection%3F%20For%20clarity%2C%20if%20Someone%20tries%20to%20use%20a%20bad%20password%20while%20resetting%20their%20password%20directly%20in%20AAD%2C%20is%20that%20logged%20somewhere%20that%20I%20can%20push%20into%20Log%20Analytics%20(or%2C%20as%20is%20likely%2C%20have%20I%20misunderstood.)%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20again.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBen%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1703536%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1703536%22%20slang%3D%22en-US%22%3E%3CP%3Ehi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F229696%22%20target%3D%22_blank%22%3E%40A-XR219%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%0A%3CP%3Enice%20to%20hear%20you%20again%20%3A)%2C%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eas%20you%20probably%20know%20the%20official%20documentation%20for%20the%20AAD%20Password%20Protection%20On-premise%20events%20logs%20is%20here%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-password-ban-bad-on-premises-monitor%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-password-ban-bad-on-premises-monitor%3C%2FA%3E%3CBR%20%2F%3Ethis%20logs%20are%20local%20to%20the%20DCs%20and%20Proxy%20so%20are%20NOT%20automatically%20forwarded%20to%20Azure%20Logs%20Analytics%2C%20maybe%20you%20need%20to%20use%20Azure%20Monitoring%20Agents%2C%20but%20to%20be%20honest%20I%20don't%26nbsp%3B%20have%20experience%20on%20this%20and%20I'm%20sorry%20for%20that%20%3B).%3C%2FP%3E%0A%3CP%3EThanks%3C%2FP%3E%0A%3CP%3EDaniele%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2171262%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2171262%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F170496%22%20target%3D%22_blank%22%3E%40Daniele%20De%20Angelis%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20have%20question%20around%20the%20installation%26nbsp%3Bof%20AAD%20Protection%20Proxy%20Service%20agent%20and%20I%20cannot%20seem%20to%20find%20an%20answer.%20Can%20this%20agent%20be%20installed%20on%20the%20same%20server%20as%20Azure%20AD%20Connect%20V2%20or%20is%20it%20best%20practice%20to%20have%20those%20roles%20separated%3F%3F%20For%20example%2C%20I%20have%20a%20primary%20Azure%20AD%20Connect%20Server%20and%20a%20staging%20Azure%20AD%20Connect%20Server..I%20was%20wondering%20if%20I%20could%20install%20it%20on%20both%2C%20maybe%20its%20not%20even%20supported%2C%20idk.%20Thank%20you%20so%20much.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2227222%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2227222%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F173825%22%20target%3D%22_blank%22%3E%40Marc%20Rodieck%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%0A%3CP%3Emy%20apologize%20for%20the%20delay%2C%20here%20you%20can%20find%20the%20answer%20to%20your%20question%20%3B)%3A%3CBR%20%2F%3E%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3CBR%20%2F%3E%3CSTRONG%3EQuestion%3A%3C%2FSTRONG%3E%20Is%20it%20okay%20to%20deploy%20the%20Azure%20AD%20Password%20Protection%20Proxy%20service%20side%20by%20side%20with%20other%20services%20such%20as%20Azure%20AD%20Connect%3F%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EAnswer%3A%3C%2FSTRONG%3E%20Yes.%20The%20Azure%20AD%20Password%20Protection%20Proxy%20service%20and%20Azure%20AD%20Connect%20should%20never%20conflict%20directly%20with%20each%20other.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUnfortunately%2C%20an%20incompatibility%20has%20been%20found%20between%20the%20version%20of%20the%20Microsoft%20Azure%20AD%20Connect%20Agent%20Updater%20service%20that%20is%20installed%20by%20the%20Azure%20AD%20Password%20Protection%20Proxy%20software%20and%20the%20version%20of%20the%20service%20that%20is%20installed%20by%20the%20Azure%20Active%20Directory%20Application%20Proxy%20software.%20This%20incompatibility%20may%20result%20in%20the%20Agent%20Updater%20service%20being%20unable%20to%20contact%20Azure%20for%20software%20updates.%3CU%3E%20It%20is%20not%20recommended%20to%20install%20Azure%20AD%20Password%20Protection%20Proxy%20and%20Azure%20Active%20Directory%20Application%20Proxy%20on%20the%20same%20machine%3C%2FU%3E.%3CBR%20%2F%3E%3CSTRONG%3EReference%3A%3C%2FSTRONG%3E%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-password-ban-bad-on-premises-faq%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-password-ban-bad-on-premises-faq%3C%2FA%3E%3CBR%20%2F%3E%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3CBR%20%2F%3EBe%20aware%20of%20the%20incompatibility%20between%20%22%3CSTRONG%3EAzure%20AD%20Password%20Protection%20Proxy%3C%2FSTRONG%3E%22%20and%20%22%3CSTRONG%3EAzure%20Active%20Directory%20Application%20Proxy%3C%2FSTRONG%3E%22%2C%20in%20this%20case%20is%20better%20to%20have%20different%20servers.%3C%2FP%3E%0A%3CP%3EMany%20thanks%20for%20your%20question.%3C%2FP%3E%0A%3CP%3EDaniele%20De%20Angelis%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2532271%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2532271%22%20slang%3D%22en-US%22%3E%3CP%3EHi.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20if%20we%20have%201000%20users%20in%20our%20AD%20on%20premise%20(not%20Azure)%2C%20but%20we%20only%20want%20to%20use%20Azure%20Active%20Directory%20Password%20Protection%2C%20then%20do%20we%20have%20to%20pay%201000%20users%20in%20Azure%20AD%20premium%20(6%20usd%20x%20user)%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2539638%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2539638%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1099622%22%20target%3D%22_blank%22%3E%40juangonzalez%3C%2FA%3E%2C%3CBR%20%2F%3Ehere%20the%20link%20related%20to%20the%20licensing%20of%20Azure%20AD%20Password%20Protection%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-password-ban-bad%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-password-ban-bad%3C%2FA%3E%3CBR%20%2F%3EPlease%20pay%20attention%20to%20the%20note%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSTRONG%3EOn-premises%20AD%20DS%20users%20that%20aren't%20synchronized%20to%20Azure%20AD%20also%20benefit%20from%20Azure%20AD%20Password%20Protection%20%3CFONT%20color%3D%22%230000FF%22%3E%3CEM%3Ebased%20on%20existing%20licensing%20for%20synchronized%20users.%3C%2FEM%3E%3C%2FFONT%3E%3C%2FSTRONG%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%3E%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3C%2FSPAN%3E%3CBR%20%2F%3ESo%20let%20me%20translate%20this%20in%20your%20case%2C%20if%20you%20have%201000%20users%2C%20100%20are%20synchronized%20with%20Azure%20and%20900%20are%20only%20local%20AD%20Users%2C%20you%20should%20have%20100%20licenses%20AD%20Premium%20P1%20or%20P2%20to%20provide%20AAD%20Password%20protection%20with%20Custom%20password%20list%20to%20this%20100%20users%20on%20the%20cloud%20side%20but%20also%20the%201000%20users%20on-premises%20can%20benefit%20of%20the%20Azure%20AD%20Password%20Protection.%3CBR%20%2F%3ERemember%20in%20this%20100%20user%20you%20should%20have%20a%20Global%20Admin%20or%20buy%20101%20licenses.%3CBR%20%2F%3EMany%20thanks%20for%20your%20question%20%3B)%3C%2Fimg%3E%3C%2FP%3E%0A%3CP%3EDaniele%20De%20Angelis%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2555357%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2555357%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F170496%22%20target%3D%22_blank%22%3E%40Daniele%20De%20Angelis%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EThank%20you%20for%20writing%20this%20blog%20it%20is%20very%20useful%20for%20the%20community.%3CBR%20%2F%3E%3CBR%20%2F%3EBased%20on%20my%20research%20and%20understanding%20I%20have%20come%20to%20the%20conclusion%20that%20a%20default%20installation%20of%20AAD%20Password%20Protection%20on-prem%20supplements%20any%20existing%20on-prem%20password%20policy.%20That%20is%2C%20when%20a%26nbsp%3Bpassword%20change%2Fset%20is%20processed%20it%20is%20first%20evaluated%20against%20existing%20complexity%2C%20length%20and%20history%20rules%2C%20that%20are%20set%20in%20AD%3B%20if%20it%20passes%20that%20stage%20it%20is%20then%20assessed%20against%20the%20additional%20functionality%20introduced%20by%20AAD%20PP.%26nbsp%3B%20For%20that%20reason%20when%20introducing%20the%20AAD%20PP%20service%20it%20is%20recommended%20to%20review%20existing%20password%20policies%20(both%20your%20written%20policy%20and%20policy%20applied%20by%20GPO).%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSTRONG%3EIs%20my%20logic%20correct%3F%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSTRONG%3E%3CU%3EReference%3C%2FU%3E%3A%3CBR%20%2F%3E%E2%80%9CAzure%20AD%20Password%20Protection%20acts%20as%20a%20supplement%20to%20the%20existing%20AD%20DS%20password%20policies%2C%20not%20a%20replacement.%E2%80%9D%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-password-ban-bad-on-premises%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-password-ban-bad-on-premises%3C%2FA%3E%3CBR%20%2F%3E%22To%20enforce%20both%20the%20default%20Windows%20password%20filter%20and%20the%20custom%20password%20filter%2C%20ensure%20that%20the%20Passwords%20must%20meet%20complexity%20requirements%20policy%20setting%20is%20enabled.%20Otherwise%2C%20disable%20the%20Passwords%20must%20meet%20complexity%20requirements%20policy%20setting.%E2%80%9D%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fwin32%2Fsecmgmt%2Finstalling-and-registering-a-password-filter-dll%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fwin32%2Fsecmgmt%2Finstalling-and-registering-a-password-filter-dll%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2556710%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2556710%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F23526%22%20target%3D%22_blank%22%3E%40Paul%20Bendall%3C%2FA%3E%2C%3CBR%20%2F%3Emany%20thanks%20for%20your%20feedback!%20%E2%99%A5%20%3A)%3C%2Fimg%3E%3CBR%20%2F%3EYes%20Your%20logic%20is%20correct!%20%3A)%3C%2Fimg%3E%3C%2FP%3E%0A%3CP%3ERemember%20that%20by%20Default%20the%20AAD%20PP%20is%20in%20%3CSTRONG%3EAudit%20Mode%2C%26nbsp%3B%3C%2FSTRONG%3Eso%20nothing%20will%20be%20blocked%20by%20default%20by%20AAD%20PP%2C%20so%20in%20Audit%20Mode%20you%20can%20see%20the%20events%20on%20the%20domain%20controller%20under%20the%20%3CSTRONG%3EDC%20Agent%20Admin%20Event%20Log.%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3EReference%3A%3C%2FSTRONG%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-password-ban-bad-on-premises-monitor%23dc-agent-admin-event-log%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMonitor%20on-premises%20Azure%20AD%20Password%20Protection%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EMy%20suggestion%20is%20to%20look%20this%20events%20to%20see%20what%20could%20be%20the%20impact%20of%20enabling%20the%20%3CSTRONG%3EEnforce%20Mode%20%3C%2FSTRONG%3Ein%20your%20environment%3CSTRONG%3E.%3C%2FSTRONG%3E%3CSTRONG%3E%3CBR%20%2F%3E%3C%2FSTRONG%3EMany%20Thanks%20for%20your%20question%20%3B)%3C%2Fimg%3E%3CBR%20%2F%3EDaniele%20De%20Angelis%3CBR%20%2F%3E%3CSTRONG%3E%3CBR%20%2F%3E%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2594114%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2594114%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F170496%22%20target%3D%22_blank%22%3E%40Daniele%20De%20Angelis%3C%2FA%3E%2C%3C%2FP%3E%3CP%3EThanks%20for%20this%20great%20blog%20and%20the%20guided%20instructions.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20noticed%20at%20many%20points%20in%20this%20you%20mentioned%20the%20%22Microsoft%20Global%20Banned%20Password%20List%22%2C%20but%20after%20reading%20more%20on%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-password-ban-bad%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ethis%20page%3C%2FA%3E%2C%20I'm%20interested%20to%20learn%20if%20you%20know%20whether%20or%20not%20this%20List%20uses%2C%20contains%2C%20or%20is%20integrated%20with%20the%20(probably)%20much%20larger%20Have%20I%20Been%20Pwned%20Password%20list%20managed%20by%20Troy%20Hunt%2C%20that%20can%20be%20queried%20and%20tested%20%3CA%20href%3D%22https%3A%2F%2Fhaveibeenpwned.com%2FPasswords%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Eonline%20here%3C%2FA%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20comparing%20this%20Azure%20AD%20Password%20Protection%20tool%20against%20%3CA%20href%3D%22https%3A%2F%2Fsafepass.me%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsafepass.me%2C%3C%2FA%3E%26nbsp%3Band%20apparnetly%20we%20can%20run%20both%20at%20the%20same%20time%2C%20but%20the%20main%20difference%20is%20that%20safepass(dot)me%20uses%20the%20HIBP%20Pwned%20Passwords%20Database.%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2597700%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2597700%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1114616%22%20target%3D%22_blank%22%3E%40tobyraistrickinseego%3C%2FA%3E%26nbsp%3B%2C%3CBR%20%2F%3E%3CSPAN%3Eyour%20feedback%20is%20really%20appreciated!%20%E2%99%A5%20%3A).%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3EThe%20only%20thing%20that%20I%20know%20about%20the%20Microsoft%20Global%20Banned%20Password%20list%20is%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-password-ban-bad%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Elisted%20here%3A%3C%2FA%3E%3CBR%20%2F%3E%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3CBR%20%2F%3E%3CSPAN%3EThe%20contents%20of%20the%20global%20banned%20password%20list%20aren't%20based%20on%20any%20external%20data%20source%2C%20but%20on%20the%20results%20of%20Azure%20AD%20security%20telemetry%20and%20analysis.%3CBR%20%2F%3E%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3CBR%20%2F%3E%3C%2FSPAN%3ESo%20is%20not%20public%20available%2C%20and%20is%20not%20based%20on%20external%20data%20sources.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EI%20don't%20know%20Safepass%2C%20but%20if%20this%20software%20act%20as%20a%20password%20filter%20on%20the%20DC%20probably%20can%20work%20with%20AAD%20PP%3A%3CBR%20%2F%3E%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3CBR%20%2F%3E%3CSTRONG%3EIs%20it%20supported%20to%20install%20Azure%20AD%20Password%20Protection%20side%20by%20side%20with%20other%20password-filter-based%20products%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EYes.%20Support%20for%20multiple%20registered%20password%20filter%20dlls%20is%20a%20core%20Windows%20feature%20and%20not%20specific%20to%20Azure%20AD%20Password%20Protection.%3CBR%20%2F%3EAll%20registered%20password%20filter%20dlls%20must%20agree%20before%20a%20password%20is%20accepted.%3CBR%20%2F%3EReference%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-password-ban-bad-on-premises-faq%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EOn-premises%20Azure%20AD%20Password%20Protection%20FAQ%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3CBR%20%2F%3EIMHO%20is%20always%20better%20to%20make%20tests%20on%20a%20pre-production%20Environment%20even%20if%20the%20documentation%20tell%20us%20%22Yes%20should%20work%22%20%3B).%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%3EMany%20Thanks%20for%20your%20question%20%3B)%3C%2Fimg%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3EDaniele%20De%20Angelis%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2676895%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2676895%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F170496%22%20target%3D%22_blank%22%3E%40Daniele%20De%20Angelis%3C%2FA%3E%26nbsp%3BDo%20you%20know%20if%20the%20incompatibility%20between%20the%20version%20of%20the%20Microsoft%20Azure%20AD%20Connect%20Agent%20Updater%20service%20that%20is%20installed%20by%20the%20Azure%20AD%20Password%20Protection%20Proxy%20software%20and%20the%20version%20of%20the%20service%20that%20is%20installed%20by%20the%20Azure%20Active%20Directory%20Application%20Proxy%20has%20been%20addressed%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20servers%20with%20both%20AD%20Connect%20and%20the%20Application%20proxy%20installs%20combined%2C%20it%20would%20be%20great%20to%20be%20able%20to%20add%20Protection%20Proxy%20on%20top%20of%20this%20without%20needing%20new%20servers.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20is%20my%20understanding%20that%20the%20incompatibility%20only%20affects%20the%20Password%20Protection%20Agent%20Updater%2C%20%3CSTRONG%3Ecan%20we%20install%20Protection%20Proxy%20without%20the%20Agent%20Updater%20and%20stack%20it%20with%20AD%20Connect%20and%20Application%20Porxy%20together%3C%2FSTRONG%3E%3F%20There%20haven't%20been%20updates%20to%20Protection%20Proxy%20for%20well%20over%202%20years%20(with%20the%20exception%20of%20the%20last%202%20releases)%20and%20I%20am%20OK%20handling%20the%20updates%20manually%2C%20while%20keeping%20Connect%20Agent%20and%26nbsp%3BApplication%20Proxy%20automatically%20updated.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2717944%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2717944%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F220326%22%20target%3D%22_blank%22%3E%40Mirza%20Dedic%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Efrom%20what%20I%20know%20the%20incompatibility%20unfortunately%20is%20still%20in%20place%2C%20so%20because%20the%20scenario%20you%20propose%20was%20never%20been%20tested%20from%20our%20support%2C%20my%20recommendation%20is%20to%26nbsp%3Buse%20two%20different%20servers.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMany%20thanks%20for%20your%20question.%3C%2FP%3E%0A%3CP%3EDaniele%20De%20Angelis%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3028868%22%20slang%3D%22en-US%22%3ERe%3A%20Step-By-Step%3A%20Implementing%20Azure%20AD%20Password%20Protection%20On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3028868%22%20slang%3D%22en-US%22%3E%3CP%3EI%20realize%20this%20blog%20is%20showing%20some%20age%2C%20but%20the%20comments%2C%20conversation%20and%20details%20are%20very%20helpful.%20I%20am%20going%20out%20on%20a%20limb%20to%20see%20if%20anyone%20has%20encountered%20a%20possible%20solution%20to%20the%20following%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20understand%20where%20the%20logs%20are%20written%20on%20the%20DC(s)%20and%20that%20as%20a%20Domain%20Administrator%20one%20can%20connect%20to%20the%20DC%20and%20review%20the%20logs.%20Has%20anyone%20found%20a%20good%20solution%20for%20allowing%20others%20to%20view%20the%20logs%20to%20support%20end%20users%20as%20we%20enable%20this%20feature%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1)%20Essentially%20a%20central%20logging%20solution%20for%20the%20various%20Event%20IDs%20mentioned%20here.%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-password-ban-bad-on-premises-monitor%23dc-agent-admin-event-log%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-password-ban-bad-on-premises-monitor%23dc-agent-admin-event-log%3C%2FA%3E%3C%2FP%3E%3CP%3EIf%20all%20these%20events%20are%20collected%20into%20a%20central%20logging%20source%2C%20those%20assisting%20users%20in%20password%20changes%20could%20review%20the%20logs%2C%20identify%20the%20userID%20in%20question%20and%20inform%20them%20of%20the%20event%20(they%20chose%20a%20password%20on%20the%20global%20list).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2)%20I%20also%20see%20where%20you%20can%20export%20the%20Trace%20log%20to%20a%20file.%3C%2FP%3E%3CP%3ECan%20you%20export%20the%20Admin%20log%20to%20a%20file%3F%20The%20current%20format%20of%20the%20Admin%20log%20is%20un%20readable%20by%20certain%20logging%20solutions%20so%20this%20might%20provide%20a%20simple%20solution%20to%20export%20to%20a%20central%20location%20in%20text%20format.%20I%20realize%20it%20would%20output%20SAMID%20format%20but%20it%20could%20be%20locked%20down%20and%20cleared%20every%20few%20days.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E3)%20Has%20anyone%20built%20a%20custom%20solution%20or%20does%20Azure%20AD%2FAzure%20PaaS%2FSaaS%20provide%20a%20solution%20where%20these%20logs%20can%20be%20fed%20back%20into%20Azure%20AD%20and%20appear%20on%20AAD%20audit%20logs%20for%20review%20to%20determine%20if%20an%20AD%20user%20tried%20to%20set%20a%20password%20on%20a%20banned%20list.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20just%20trying%20to%20make%20those%20employees%20who%20are%20supporting%20users%20live's%20a%20bit%20easier%20and%20provide%20them%20with%20ways%20to%20identify%20why%20a%20user%20is%20unable%20to%20set%20a%20password%20as%20they%20might%20not%20have%20read%20the%20announcements.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Jun 07 2019 01:59 AM
Updated by: