skip to Main Content

Configure Azure AD Password Protection for on-premises

Azure Active Directory is excellent when you want to protect the organization from weak user passwords. That’s because Microsoft constantly analyzes Azure AD security telemetry data looking for commonly used weak or compromised passwords, and maintains a list of globally banned passwords in Azure AD. In this article, you will learn how to configure and enable Azure AD Password Protection for Windows Server Active Directory to prevent weak passwords from being used in the organization using Windows Server Active Directory.

Introduction

In Active Directory, you can enable GPOs that can help you to implement strong passwords in the organization, like:

  1. Minimum password length
  2. Minimum password age
  3. Maximum password age
  4. Password must meet complexity requirements
  5. Enforce password history

That doesn’t mean you protect the organization against attacks because administrators and users can create weak passwords, known as well-known passwords, which you don’t want!

There are thousands of well-known passwords that users use daily. Some well-known passwords are:

  • Welcome01!
  • P@ssw0rd1234
  • FerrariRed!@

That’s when Azure AD Password Protection is an excellent feature to deploy in Azure AD and on-premises AD. So let’s learn a little bit more about that.

Azure AD Password Protection

Many security guidance recommends that you don’t use the same password in multiple places, make it complex, and avoid simple passwords like Password123. You can provide your users with guidance on how to choose passwords, but weak or insecure passwords are often still used. Azure AD Password Protection detects and blocks known weak passwords and their variants. It can also block additional weak terms that are specific to your organization.

Azure AD Password Protection license

See the below table for Azure AD Password Protection licensing.

UsersAzure AD Password Protection with global banned password listAzure AD Password Protection with custom banned password list
Cloud-only usersAzure AD FreeAzure AD Premium P1 or P2
Users synchronized from on-premises AD DSAzure AD Premium P1 or P2Azure AD Premium P1 or P2

You need Azure AD Premium P1 or P2 for users synchronized from on-premises Active Directory Domain Services (AD DS) to work.

Azure AD Password Protection diagram

The following diagram shows how the basic components of Azure AD Password Protection work together in an on-premises Active Directory environment.

  1. A user requests a password change to a Domain Controller.
  2. The DC Agent password filter dll receive the password validation requests from the OS and forward them to the Azure AD Password Protection DC Agent Service, installed on the DC. This Agent then validates if the password complies with the locally stored Azure password policy.
  3. The Agent on the DC every 1 hour locates via the SCP (Service Connection Point) in the forest the Azure AD Password Protection Proxy Service to download a fresh copy of the Azure password policy.
  4. The Agent on the DC receives the new version of the Azure password policy from the proxy service and stores it in the Sysvol, enabling this new policy to replicate to all other DCs in the same domain.
Configure Azure AD Password Protection for on-premises diagram

The Azure Password policies are stored in Sysvol.

Configure Azure AD Password Protection for on-premises sysvol

How to configure Azure AD Password Protection

We will go through the steps below and ensure that everything is in place before we enable Azure AD Password Protection for on-premises Active Directory.

Enable Azure AD password write back

Read more in the article: Enable Self-Service Password Reset.

Ensure that you see the message your on-premises writeback client is up and running and that the feature write back passwords to your on-premises directory is enabled.

Configure Azure AD Password Protection for on-premises password writeback

Download Azure AD Password Protection required software

There are two required installers for an on-premises Azure AD Password Protection deployment:

  • Azure AD Password Protection proxy (AzureADPasswordProtectionProxySetup.msi)
  • Azure AD Password Protection DC agent (AzureADPasswordProtectionDCAgentSetup.msi)

Download both installers from the Microsoft Download Center.

Configure Azure AD Password Protection for on-premises download installers

Now that we have both the required installers, we can go to the next step.

Azure AD Password Protection proxy service prerequisites

The following requirements apply to the Azure AD Password Protection proxy service:

  • Windows Server 2012 R2 or later.
  • .NET 4.7.2 installed or higher.
  • Do not install on a RODC (Read-Only Domain Controller).
  • Allow outbound TLS 1.2 HTTP traffic.
  • A Global Administrator account is required to register the Azure AD Password Protection proxy service for the first time in a given tenant.
  • Network access to the endpoints: https://login.microsoftonline.com and https://enterpriseregistration.windows.net.

The Azure AD Password Protection proxy service does upgrade automatically. The automatic upgrade uses the Microsoft Azure AD Connect Agent Updater service, which is installed side by side with the proxy service.

Install and configure Azure AD Password Protection proxy service

Install Azure AD Password Protection proxy service on a member server in your on-premises AD DS environment. In addition, you can use a dedicated member server for the proxy service. Once installed, the Azure AD Password Protection proxy service communicates with Azure AD to maintain a copy of the global and customer banned password lists for your Azure AD tenant.

Note: Do not install the proxy service on a Domain Controller (DC) or Read-Only Domain Controller (RODC).

We recommend at least two Azure AD Password Protection proxy servers per forest for redundancy. In our example, we will install it on the member server AP-01 (application server).

Place the AzureADPasswordProtectionProxySetup.msi in the C:\install folder. Then, run Command Prompt as administrator and start the installer AzureADPasswordProtectionProxySetup.msi.

C:\>cd C:\install
C:\Install>AzureADPasswordProtectionProxySetup.msi

Go through the Azure AD Password Protection Proxy Setup and click on Finish.

Proxy setup complete

Verify that the Azure AD Password Protection Proxy Setup is showing in Programs and Features.

Configure Azure AD Password Protection for on-premises proxy verify

Run Windows PowerShell (64-bit) as administrator. Import the module AzureADPasswordProtection.

PS C:\> Import-Module AzureADPasswordProtection

Check that the Azure AD Password Protection proxy service is running. The result will show a Status of Running.

PS C:\> Get-Service AzureADPasswordProtectionProxy | fl


Name                : AzureADPasswordProtectionProxy
DisplayName         : Azure AD Password Protection Proxy
Status              : Running
DependentServices   : {}
ServicesDependedOn  : {SAMSS, KEYISO, RPCSS}
CanPauseAndContinue : False
CanShutdown         : False
CanStop             : True
ServiceType         : Win32OwnProcess

The proxy service is running on the machine but doesn’t have credentials to communicate with Azure AD. Register the Azure AD Password Protection proxy server with Azure AD using your Global Administrator credentials. Do that on every Azure AD Password Protection proxy server.

Note: There might be a noticeable delay after you run the below cmdlet for the first time. Unless a failure is reported, don’t worry about this delay.

PS C:\> Register-AzureADPasswordProtectionProxy -AccountUpn 'admin@exoip.com'

Register the on-premises Active Directory forest with the necessary credentials to communicate with Azure by using the Register-AzureADPasswordProtectionForest PowerShell cmdlet.

Note: If multiple Azure AD Password Protection proxy servers are installed in your environment, it doesn’t matter which proxy server you use to register the forest. This step is run once per forest.

The cmdlet requires either Global Administrator or Security Administrator credentials for your Azure tenant. It also requires on-premises Active Directory Enterprise Administrator privileges. You must also run this cmdlet using an account with local administrator privileges. The Azure account used to register the forest may be different from the on-premises Active Directory account.

Note: There might be a noticeable delay after you run the below cmdlet for the first time. Unless a failure is reported, don’t worry about this delay.

PS C:\> Register-AzureADPasswordProtectionForest -AccountUpn 'admin@exoip.com'

Azure AD Password Protection Audit mode

Verify that Azure AD Password Protection is set on Audit mode before going to the next step and installing the Azure AD Password Protection DC agent service. By default, it’s set to Audit mode.

Note: If Azure AD Password Protection is set to Audit mode, the attempt will only be logged (event log).

Sign in to the Azure portal. Navigate to Azure AD Active Directory > Security > Authentication methods > Password protection. Another way is to search at the top for Azure AD Password Protection.

We recommend enabling the feature Enforce custom list and add the company name. Ensure that the mode Audit is active. Click Save.

Configure Azure AD Password Protection for on-premises audit mode

Azure AD Password Protection DC agent prerequisites

The following requirements apply to the Azure AD Password Protection DC agent:

  • Windows Server 2012 R2 or later.
  • .NET 4.7.2 installed or higher.
  • Do not install on a RODC (Read-Only Domain Controller).
  • Distributed File System Replication (DFSR) for sysvol replication. If your domain isn’t already using DFSR, you must migrate from RFS (File Replication System – the predecessor to DFSR) to DFSR before installing Azure AD Password Protection.

The Azure AD Password Protection DC agent does not upgrade automatically. Instead, a manual upgrade is accomplished by running the latest version of the AzureADPasswordProtectionDCAgentSetup.msi software installer. The latest version of the software is available on the Microsoft Download Center.

Install Azure AD Password Protection DC agent service

Install Azure AD Password Protection DC agent service on the on-premises Domain Controllers. In our example, we only have one domain controller in the organization.

Place the AzureADPasswordProtectionDCAgentSetup.msi in the C:\install folder on the Domain Controller. Then, run Command Prompt as administrator and start the installer AzureADPasswordProtectionDCAgentSetup.msi.

C:\>cd C:\install
C:\Install>AzureADPasswordProtectionDCAgentSetup.msi

Go through the installation wizard and click on Finish.

DC agent setup complete

Click on Yes to restart the Domain Controller. If you only have one DC in the environment, schedule a restart.

Restart DC after DC agent setup completion

Verify that the Azure AD Password Protection DC Agent is showing in Programs and Features.

Configure Azure AD Password Protection for on-premises agent verify

Run Windows PowerShell (64-bit) as administrator. Check on which Domain Controllers the Azure AD Password Protection DC Agent is installed.

PS C:\> Get-AzureADPasswordProtectionDCAgent


ServerFQDN            : DC01-2016.exoip.local
SoftwareVersion       : 1.2.176.0
Domain                : exoip.local
Forest                : exoip.local
PasswordPolicyDateUTC : 1/1/0001 12:00:00 AM
HeartbeatUTC          : 10/3/2021 4:27:51 PM
AzureTenant           :

Verify Azure AD Password Protection Audit mode

Once you enable Azure AD Password Protection Audit mode for on-premises Active Directory, an event will register when a password is reset or changed. For example, it will show if new passwords set by the administrators, helpdesk, or the users are rejected or accepted.

To see it in action and verify it’s working. Let’s reset a password in Active Directory for a test user. First, create a strong password. After that, reset the password again, but this time with a weak password.

Azure AD Password Protection DC agent event logs

Start Event Viewer on the Domain Controller. Navigate to Applications and Services Logs > Microsoft > AzureADPasswordProtection > DCAgent > Admin.

Azure password policy rejects password

When Azure rejects the password, it will show the event ID 10025 and event ID 30009.

Event 10025, DCAgent
The reset password for the specified user would normally have been rejected because it did not comply with the current Azure password policy. The current Azure password policy is configured for audit-only mode so the password was accepted. Please see the correlated event log message for more details.

Configure Azure AD Password Protection for on-premises event 10025

Event 30009, DCAgent
The reset password for the specified user would normally have been rejected because it matches at least one of the tokens present in the Microsoft global banned password list of the current Azure password policy. The current Azure password policy is configured for audit-only mode so the password was accepted.

Configure Azure AD Password Protection for on-premises event 30009

Azure password policy accepts password

When Azure validates the password as compliant, it will show the event ID 10015.

Event 10015, DCAgent
The reset password for the specified user was validated as compliant with the current Azure password policy.

Configure Azure AD Password Protection for on-premises event 10015

Azure AD Password Protection summary report

Get a summary report showing how many new passwords sets are validated and how many are failed.

PS C:\> Get-AzureADPasswordProtectionSummaryReport


DomainController                : DC01-2016.exoip.local
PasswordChangesValidated        : 0
PasswordSetsValidated           : 4
PasswordChangesRejected         : 0
PasswordSetsRejected            : 0
PasswordChangeAuditOnlyFailures : 0
PasswordSetAuditOnlyFailures    : 3
PasswordChangeErrors            : 0
PasswordSetErrors               : 0

The next step, which is the last step, is to switch from Audit mode to Enforced mode.

Enforce Azure AD Password Protection

Sign in to the Azure portal. Navigate to Azure AD Active Directory > Security > Authentication methods > Password protection. Another way is to search at the top for Azure AD Password Protection.

Note: If set to Enforce, users will be prevented from setting banned passwords and the attempt will be logged.

Enable the mode Enforce. Click Save.

Configure Azure AD Password Protection for on-premises enforced mode

You did successfully configure Azure AD Password Protection for Windows Server Active Directory.

Read more: Force password sync with Azure AD Connect »

Conclusion

You learned how to configure Azure AD Password Protection for on-premises Active Directory. First, follow the steps to configure Azure AD Password Protection in Audit mode. Then, after everything is in place and you are satisfied, switch from Audit mode to Enforced.

Did you enjoy this article? You may also like Upgrade Azure AD Connect to V2.0. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *