Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community

On-Prem Azure Ad Password Protection doesn't work

Copper Contributor

Even if a user's password contains a banned password, the password change has been accepted.

 

I have configured on Customer Tenant an On-premises Azure Active Directory Password Protection.

 

But even if a user's password contains a banned password, the server accepts the banned password.

 

 

fkh090_0-1688228200202.png

 

 

It says It is compliant!

 

fkh090_1-1688228200207.png

 

 

 

 

Troubleshooting shows that all are right.

VerifyProxyConnectivity 

VerifyAzureConnectivityViaSpecificProxy

 

Test-AzureADPasswordProtectionDCAgentHealth -VerifyProxyConnectivity domain.com

 

fkh090_2-1688228200210.png

 

 

 

Test-AzureADPasswordProtectionDCAgentHealth -VerifyAzureConnectivityViaSpecificProxy domain.com

 

fkh090_3-1688228200213.png

 

 

 

Troubleshooting DC AGent

DC agent health tests

Test-AzureADPasswordProtectionDCAgentHealth -VerifyPasswordFilterDll

 

 

fkh090_4-1688228200217.png

 

 

 

Test-AzureADPasswordProtectionDCAgentHealth -TestAll

 

fkh090_5-1688228200218.png

 

 

fkh090_9-1688228283757.png

 

 

Troubelshooting Proxy

 

fkh090_7-1688228200220.png

 

 

 

Proxy verification of all tests

Test-AzureADPasswordProtectionProxyHealth -TestAll

 

fkh090_8-1688228200224.png

 

 

DC Agent version is the last version. 1.2.177.1

 

Do you have Ideas why It is not working?

 

Microsoft says that even if the user's password contains a banned word, the password change will be accepted if it is compliant with password policy complexity :) - 

 

Does anyone have the experience?

 

Thanks In Advance!

Farhad

@FKH900 

 

 

 

 

 

 

2 Replies

@fkh090 - Refer to the "Score Calculation" section in this article:  Password protection in Azure Active Directory - Microsoft Entra | Microsoft Learn.  Even if you have a banned word in your password, you may get an acceptable password if you have additional characters in your password that bring your score up to 5.

 

Example:

Banned Word:  Password

Password:  Password1!  (Score: 3 -> Rejected)

Password:  P@ssword  (Score: 1 -> Rejected)

Password:  Passw0rd1!@#$%  (Score:  7 -> Accepted)