Azure AD Password Protection

Azure AD Password Protection

Azure AD Password Protection it’s an interested feature. He permit to secure your authentification by deny simple password. Microsoft update frequently a list of simple password. When you enable this feature, this list is used for deny user password if it’s on this list. This verification is performed when the password is modified by user or resetted by IT Admins

Prerequisites

Azure AD Password Protection need this prerequisites.

  • Windows Server 2012 R2 or above
  • .Net Framework 4.7.2 for the Azure AD Password Protection proxy
  • It’s recommended to migrate your SYSVOL replication to DFSR (FRS to DFSR)
  • All Azure AD Password Protection proxy must be allow domain controller to log in in to the proxy sercice. You need to Configure Access this computer from the network group policy parameter.
  • Azure AD account must be Global administrator or Security administrator
  • Be careful Azure AD Proxy and Azure AD Password Protection proxy do not be installed on the same server.

Install the proxy

Download the setup file from the Microsoft Web site. It’s recommended to use two proxy services.

If your firewall is disabled, enabled it for the installation. You can disabled it after installation.. You can install proxy services silently with th following command :

AzureADPasswordProtectionProxySetup.exe /quiet

From the Proxy server, run the AzureADPasswordProtectionProxySetup.exe. A wizard appear, check I agrree to the licence terms and condition then click on Install.

Azure AD Password Protection - Install proxy services

The installation of the proxy servcices begin… Click on Close when it’s finished.

Azure AD Password Protection - Close installation

The Azure AD Password Protection Proxy services must be on Running. You can test it the state of the services with the following command :

Import-Module AzureADPasswordProtection
Get-Service AzureADPasswordProtectionProxy | fl
Azure AD Password Protection - Test the service state

Run this command once time for register your AD forest. The internet explorer enhanced security configuration must be disabled and your AD user account have Domain Admin right.

My Azure AD Administrator is a cloud account, so i need to use my Active Directory administrator account. In this case -forestcredential $(Get-Credential) must be used. Run the following command on Proxy Services server :

Register-AzureADPasswordProtectionForest -AccountUpn 'yourglobaladmin@yourtenant.onmicrosoft.com' -forestcredential $(Get-Credential)

The Proxy services must be register on Azure AD. This operation take time, if you don’t any errors it’s ok. You neeed need run the command on all Proxy services. Please note The internet explorer enhanced security configuration must be disabled.

Register-AzureADPasswordProtectionProxy -AccountUpn 'yourglobaladmin@yourtenant.onmicrosoft.com' 
Register server

The RPC use dynamic port but you can configure Satic port with the following command :

Set-AzureADPasswordProtectionProxyConfiguration –StaticPort <portnumber>

If the server has been register you can install the domain controller agent.

Install DC Agent

Be careful the domain controller must be restarted afetr installation. Run the AzureADPasswordProtectionDCAgentSetup.msi file. If you want install silently the agent, use the following command :

msiexec.exe /i AzureADPasswordProtectionDCAgentSetup.msi /quiet /qn /norestart

Check I accept the terms in the License Agreement then click on Install

insatall DC Agent

Click on Finsih and restart the domain controller. After the rester, run the following command to verify agent configuration.

Get-AzureADPasswordProtectionDCAgent
verify agent configuration

Enable password protection

From the Azure AD portal, click on Azure Active Directory, Security then on Authentification methods.

Enable Password Protection

Click on Password Protection then enabled Enable password protection on Windows Server Active Directory option.

Enable password protection policy

Click on Save.

Test Azure AD Password Protection

From the Users and computer, select the desired users and reset his password.

select ad user for modify

Open event viewer and expand Applications and Services Logs, Microsoft, AzureADPasswordProtection then DCAgent. Select Admin log, you have a new event. He indicate that the password is normaly rejected because the password is not comply with the Azure password policy.The password was accepted because the audit mode is configured.

Event in event viewer

In the Azure portal, enable Enforced for blck all password that is not respect the password policy. Click on Save.

enable enforced mode

The policy is downloaded after can take few hour. Reset password is not allowed if it’s an simple password.

Password is deny if it's an simple password

You can run the following command to view the summary report by domain controller.

Get-AzureADPasswordProtectionSummaryReport -DomainController DomainControllerName
create protection summary

List of event

The following list contain the different events for the Azure AD Password Protection.

  • Success – Event ID : 10014 et 10015
  • Failed (due to client password policy) – Event ID : 10016, 30002, 10017, 30003
  • Failed (due to Microsoft password policy) – Event ID 10016, 30004, 10017, 30005
  • Failed (due to combined Microsoft and client password policies) – Event ID 10016, 30026, 10017, 30027
  • Failed (because of the username) – Event ID 10016, 30021, 10017, 30022
  • Audit success only (would have failed with client password policy) – Event ID 10024, 30008, 10025, 30007
  • Audit success alone (would have failed with Microsoft password policy) – Event ID 10024, 30010, 10025, 30009
  • Audit success alone (would have failed with combined Microsoft and client password policies) – Event ID 10024, 30028, 10025, 30029
  • Successful Audit mode only (would have failed due to username) – Event ID 10016, 30024, 10017, 30023

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.