Azure AD Password Protection
Azure AD Password Protection it’s an interested feature. He permit to secure your authentification by deny simple password. Microsoft update frequently a list of simple password. When you enable this feature, this list is used for deny user password if it’s on this list. This verification is performed when the password is modified by user or resetted by IT Admins
Prerequisites
Azure AD Password Protection need this prerequisites.
- Windows Server 2012 R2 or above
- .Net Framework 4.7.2 for the Azure AD Password Protection proxy
- It’s recommended to migrate your SYSVOL replication to DFSR (FRS to DFSR)
- All Azure AD Password Protection proxy must be allow domain controller to log in in to the proxy sercice. You need to Configure Access this computer from the network group policy parameter.
- Azure AD account must be Global administrator or Security administrator
- Be careful Azure AD Proxy and Azure AD Password Protection proxy do not be installed on the same server.
Install the proxy
Download the setup file from the Microsoft Web site. It’s recommended to use two proxy services.
If your firewall is disabled, enabled it for the installation. You can disabled it after installation.. You can install proxy services silently with th following command :
AzureADPasswordProtectionProxySetup.exe /quiet
From the Proxy server, run the AzureADPasswordProtectionProxySetup.exe. A wizard appear, check I agrree to the licence terms and condition then click on Install.
The installation of the proxy servcices begin… Click on Close when it’s finished.
The Azure AD Password Protection Proxy services must be on Running. You can test it the state of the services with the following command :
Import-Module AzureADPasswordProtection
Get-Service AzureADPasswordProtectionProxy | fl
Run this command once time for register your AD forest. The internet explorer enhanced security configuration must be disabled and your AD user account have Domain Admin right.
My Azure AD Administrator is a cloud account, so i need to use my Active Directory administrator account. In this case -forestcredential $(Get-Credential) must be used. Run the following command on Proxy Services server :
Register-AzureADPasswordProtectionForest -AccountUpn 'yourglobaladmin@yourtenant.onmicrosoft.com' -forestcredential $(Get-Credential)
The Proxy services must be register on Azure AD. This operation take time, if you don’t any errors it’s ok. You neeed need run the command on all Proxy services. Please note The internet explorer enhanced security configuration must be disabled.
Register-AzureADPasswordProtectionProxy -AccountUpn 'yourglobaladmin@yourtenant.onmicrosoft.com'
The RPC use dynamic port but you can configure Satic port with the following command :
Set-AzureADPasswordProtectionProxyConfiguration –StaticPort <portnumber>
If the server has been register you can install the domain controller agent.
Install DC Agent
Be careful the domain controller must be restarted afetr installation. Run the AzureADPasswordProtectionDCAgentSetup.msi file. If you want install silently the agent, use the following command :
msiexec.exe /i AzureADPasswordProtectionDCAgentSetup.msi /quiet /qn /norestart
Check I accept the terms in the License Agreement then click on Install
Click on Finsih and restart the domain controller. After the rester, run the following command to verify agent configuration.
Get-AzureADPasswordProtectionDCAgent
Enable password protection
From the Azure AD portal, click on Azure Active Directory, Security then on Authentification methods.
Click on Password Protection then enabled Enable password protection on Windows Server Active Directory option.
Click on Save.
Test Azure AD Password Protection
From the Users and computer, select the desired users and reset his password.
Open event viewer and expand Applications and Services Logs, Microsoft, AzureADPasswordProtection then DCAgent. Select Admin log, you have a new event. He indicate that the password is normaly rejected because the password is not comply with the Azure password policy.The password was accepted because the audit mode is configured.
In the Azure portal, enable Enforced for blck all password that is not respect the password policy. Click on Save.
The policy is downloaded after can take few hour. Reset password is not allowed if it’s an simple password.
You can run the following command to view the summary report by domain controller.
Get-AzureADPasswordProtectionSummaryReport -DomainController DomainControllerName
List of event
The following list contain the different events for the Azure AD Password Protection.
- Success – Event ID : 10014 et 10015
- Failed (due to client password policy) – Event ID : 10016, 30002, 10017, 30003
- Failed (due to Microsoft password policy) – Event ID 10016, 30004, 10017, 30005
- Failed (due to combined Microsoft and client password policies) – Event ID 10016, 30026, 10017, 30027
- Failed (because of the username) – Event ID 10016, 30021, 10017, 30022
- Audit success only (would have failed with client password policy) – Event ID 10024, 30008, 10025, 30007
- Audit success alone (would have failed with Microsoft password policy) – Event ID 10024, 30010, 10025, 30009
- Audit success alone (would have failed with combined Microsoft and client password policies) – Event ID 10024, 30028, 10025, 30029
- Successful Audit mode only (would have failed due to username) – Event ID 10016, 30024, 10017, 30023