Configure Azure AD Password Protection for on-premises

Azure AD Password Protection is a feature that helps to protect your organization’s credentials by encrypting them and storing them in the cloud. This article will show you how to configure Azure AD password protection for on-premises.

The azure ad password protection on-premises is a way to protect your company’s Azure AD password from being accessed by unauthorized users.

When you want to safeguard your company against weak user passwords, Azure Active Directory is a great option. Because Microsoft monitors Azure AD security telemetry data on a regular basis for frequently used weak or hacked passwords and keeps a list of globally prohibited passwords in Azure AD, this is the case. In this article, you’ll learn how to set up and utilize Azure Active Directory Password Protection for Windows Server Active Directory to prohibit the use of weak passwords in your Windows Server Active Directory environment.

Introduction

You may activate GPOs in Active Directory to assist you adopt strong passwords in your company, such as:

1. The password must be at least eight characters long.
2. The minimum password age is thirteen years old.
3. Password age limit
4. The difficulty of the password must be met.
5. Password history must be enforced

That doesn’t mean you’re safe from assaults; administrators and users may generate weak passwords, sometimes known as well-known passwords, which you don’t want.

Users use thousands of well-known passwords on a regular basis. The following are some well-known passwords:

• Welcome01!
• [email protected]
• [email protected]

That’s why Azure AD Password Protection, both in Azure AD and on-premises AD, comes in handy. So let’s find out a little more about it.

Azure AD Password Protection

Many security experts advise against using the same password across numerous sites, making it complicated, and avoiding easy passwords like Password123. Although you may instruct your users on how to pick passwords, weak or insecure passwords are still often used. Azure Active Directory Password Protection identifies and prevents the use of known weak passwords and variations. It may also filter out weak keywords that are unique to your company.

License for Azure Active Directory Password Protection

For Azure AD Password Protection licensing, see the table below.

For users synced from on-premises Active Directory Domain Services (AD DS), you’ll require Azure AD Premium P1 or P2.

Diagram of Azure Active Directory Password Protection

In an on-premises Active Directory system, the fundamental components of Azure AD Password Protection are shown in the figure below.

1. A Domain Controller receives a request for a password change from a user.
2. The password validation requests from the OS are sent to the Azure AD Password Protection DC Agent Service, which is installed on the DC, by the DC Agent password filter dll. This Agent then checks to see whether the password is compliant with the Azure password policy that is stored locally.
3. Every 1 hour, the Agent on the DC locates the Azure AD Password Protection Proxy Service in the forest through the SCP (Service Connection Point) and downloads a new copy of the Azure password policy.
4. The DC’s Agent gets the updated version of the Azure password policy from the proxy service and saves it in the Sysvol, allowing the new policy to be replicated to all other DCs in the domain.

Sysvol is where Azure Password policies are kept.

How to set up Azure Active Directory Password Protection

Before we activate Azure AD Password Protection for on-premises Active Directory, we’ll go through the procedures below to make sure everything is in place.

Enable Azure Active Directory password writeback.

Enable Self-Service Password Reset for more information.

Make that your on-premises writeback client is up and running, and the ability to write back passwords to your on-premises directory is turned on.

Download the necessary software for Azure AD Password Protection.

For an on-premises Azure AD Password Protection setup, two installers are required:

• Proxy for Azure Active Directory Password Protection (AzureADPasswordProtectionProxySetup.msi)
• DC agent for Azure AD Password Protection (AzureADPasswordProtectionDCAgentSetup.msi)

From the Microsoft Download Center, get both installations.

We can go on to the next stage now that we have both of the necessary installers.

Prerequisites for the Azure AD Password Protection proxy service

The Azure AD Password Protection proxy service must meet the following requirements:

• Windows Server 2012 R2 or newer is required.
• .NET 4.7.2 or above must be installed.
• Installing on a RODC is not recommended (Read-Only Domain Controller).
• Allow TLS 1.2 HTTP traffic outbound.
• To register the Azure AD Password Protection proxy service for the first time in a tenancy, you’ll need a Global Administrator account.
• https://login.microsoftonline.com and https://enterpriseregistration.windows.net are two endpoints that need network access.

The proxy service for Azure AD Password Protection is updated automatically. The Microsoft Azure AD Connect Agent Updater service, which is deployed with the proxy service, is used for the automated upgrading.

Set up the Azure AD Password Protection proxy service and configure it.

In your on-premises AD DS system, install the Azure AD Password Protection proxy service on a member server. For the proxy service, you may also utilize a dedicated member server. After being deployed, the Azure AD Password Protection proxy service interacts with Azure AD to keep a copy of your Azure AD tenant’s global and customer prohibited password lists.

Note: The proxy service should not be installed on a Domain Controller (DC) or a Read-Only Domain Controller (RODC) (RODC).

For redundancy, we suggest at least two Azure AD Password Protection proxy servers per forest. In this example, we’ll set it up on member server AP-01 (application server).

In the C:install folder, save the AzureADPasswordProtectionProxySetup.msi file. Then start the installation AzureADPasswordProtectionProxySetup.msi by running Command Prompt as administrator.

C:>cd C:install C:Install>AzureADPasswordProtectionProxySetup.msi

Click Finish after completing the Azure AD Password Protection Proxy Setup.

In Programs and Features, make sure the Azure AD Password Protection Proxy Setup is visible.

As an administrator, run Windows PowerShell (64-bit). Import the AzureADPasswordProtection module.

Import-Module AzureADPasswordProtection PS C:>

Make that the Azure Active Directory Password Protection proxy service is up and functioning. The status of the outcome will be Running.

Get-Service PS C:> AzureADPasswordProtectionProxy | fl fl fl fl fl fl fl fl fl fl fl fl fl fl fl fl fl f Azure AD Password Protection Proxy’s DisplayName is Azure AD Password Protection Proxy’s DisplayName is Azure AD Password Protection Proxy’s DisplayName is Azure DependentServices is a term that refers to a set of services that are dependent on each other SAMSS, KEYISO, RPCSS are some of the services that are dependent on. CanPauseAndContinue : False CanPauseAndContinue : False CanPauseAndContinue False Can Shutdown Stop : Correct. Win32OwnProcess is a kind of service.

The proxy service is functioning on the computer, but it is unable to connect with Azure AD due to a lack of credentials. Using your Global Administrator credentials, register the Azure AD Password Protection proxy server with Azure AD. Carry out this procedure on each Azure AD Password Protection proxy server.

Note: When you execute the cmdlet below for the first time, there may be a significant delay. Don’t be concerned about the delay until a malfunction is reported.

PS C:> Register-AzureADPasswordProtectionProxy -AccountUpn ‘[email protected]’ PS C:> Register-AzureADPasswordProtectionProxy -AccountUpn ‘[email protected]’

Using the Register-AzureADPasswordProtectionForest PowerShell cmdlet, configure the on-premises Active Directory forest with the required credentials to interact with Azure.

It doesn’t matter which Azure AD Password Protection proxy server you use to register the forest if you have several proxy servers deployed in your environment. This procedure is repeated once for each forest.

For your Azure tenancy, the cmdlet needs either Global Administrator or Security Administrator credentials. It also requires Active Directory Enterprise Administrator capabilities on-premises. This cmdlet must also be executed by a user with local administrator rights. The Azure account used to register the forest may not be the same as the Active Directory account on-premises.

Note: When you execute the cmdlet below for the first time, there may be a significant delay. Don’t be concerned about the delay until a malfunction is reported.

PS C:> Register-AzureADPasswordProtectionForest -AccountUpn ‘[email protected]’ PS C:> Register-AzureADPasswordProtectionForest -AccountUpn ‘[email protected]’

Audit mode for Azure Active Directory Password Protection

Before proceeding to the following step and deploying the Azure AD Password Protection DC agent service, make sure that Azure AD Password Protection is configured to Audit mode. It’s set to Audit mode by default.

The attempt will only be recorded if Azure AD Password Protection is configured to Audit mode (event log).

To use the Azure portal, go to https://portal.azurewebsites.com Go to Azure AD Active Directory > Security > Authentication methods > Password protection in Azure AD Active Directory. Another option is to look for Azure AD Password Protection towards the top of the page.

Enabling the feature Enforce custom list and adding the business name is recommended. Make sure the Audit mode is turned on. Save the file.

Prerequisites for the Azure AD Password Protection DC agent

The Azure AD Password Protection DC agent must meet the following requirements:

• Windows Server 2012 R2 or newer is required.
• .NET 4.7.2 or above must be installed.
• Installing on a RODC is not recommended (Read-Only Domain Controller).
• For sysvol replication, use Distributed File System Replication (DFSR). Before implementing Azure AD Password Protection, you must migrate from RFS (File Replication System – the precursor of DFSR) to DFSR if your domain isn’t currently utilizing it.

The DC agent for Azure AD Password Protection does not automatically update. Instead, execute the newest version of the AzureADPasswordProtectionDCAgentSetup.msi software installer to perform a manual update. The Microsoft Download Center has the most recent version of the program.

Install the DC agent service for Azure AD Password Protection.

On the on-premises Domain Controllers, install the Azure AD Password Protection DC agent service. In our case, the organization only has one domain controller.

Install the AzureADPasswordProtectionDCAgentSetup.msi in the Domain Controller’s C:install folder. Then start the installation AzureADPasswordProtectionDCAgentSetup.msi by running Command Prompt as administrator.

C:>cd C:install C:Install>AzureADPasswordProtectionDCAgentSetup.msi

Complete the installation process and then click Finish.

To restart the Domain Controller, choose Yes. Schedule a restart if the environment only has one DC.

In Programs and Features, make sure the Azure AD Password Protection DC Agent is listed.

As an administrator, run Windows PowerShell (64-bit). The Azure AD Password Protection DC Agent is deployed on which Domain Controllers?

Get-AzureADPasswordProtectionDCAgent ServerFQDN : DC01-2016.exoip.local SoftwareVersion : 1.2.176.0 PS C:> Get-AzureADPasswordProtectionDCAgent ServerFQDN : DC01-2016.exoip.local exoip.local is the domain name. exoip.local (forest) PasswordPolicyDate 1/1/0001 12:00:00 AM UTC Heartbeat 10/3/2021 4:27:51 PM UTC AzureTenant : AzureTenant : AzureTenant : Azure

Examine the Azure Active Directory Password Protection Audit mode.

When you activate Azure AD Password Protection Audit mode for on-premises Active Directory, when a password is reset or modified, an event is logged. It will indicate if new passwords established by administrators, helpdesk, or users are denied or approved, for example.

To see it in action and double-check that it works. Let’s reset a password for a test user in Active Directory. Create a strong password first. Reset the password after that, but this time with a weak password.

Event logs for the Azure AD Password Protection DC agent

On the Domain Controller, open Event Viewer. Go to Applications and Services Logs > Microsoft > AzureADPasswordProtection > DCAgent > Admin in Applications and Services Logs > Microsoft > AzureADPasswordProtection > DCAgent > Admin in AzureADPasswordProtection > DCA

Passwords are rejected by Azure’s password policy.

When Azure refuses the password, the event IDs 10025 and 30009 are shown.

DCAgent, Event 10025 The given user’s reset password would usually have been denied because it did not conform with Azure’s current password policy. The password was allowed because the current Azure password policy is set to audit-only mode. For additional information, check the associated event log message.

DCAgent, Event 30009 The given user’s reset password would usually have been denied because it matches at least one of the tokens in the current Azure password policy’s Microsoft global prohibited password list. The password was allowed because the current Azure password policy is set to audit-only mode.

The Azure password policy allows you to use whatever password you choose.

The event ID 10015 is shown when Azure verifies the password as compliant.

The reset password for the given user was verified as compatible with the current Azure password policy, according to event 10015, DCAgent.

Summary Report for Azure Active Directory Password Protection

Get a summary report that shows how many new password sets have been verified and how many have been rejected.

PS C:> Get-AzureADPasswordProtectionSummaryReport DC01-2016.exoip.local DomainController ValidatedPasswordChanges: 0 ValidatedPasswordSets: 4 PasswordChanges PasswordSetsRejected : 0 PasswordChangeAuditOnlyFailures : 0 PasswordSetAuditOnlyFailures : 3 PasswordChangeAuditOnlyFailures : 0 PasswordSetErrors: 0 PasswordChangeErrors: 0

Switching from Audit to Enforced mode is the next and last stage.

Password protection for Azure Active Directory is enabled.

To use the Azure portal, go to https://portal.azurewebsites.com Go to Azure AD Active Directory > Security > Authentication methods > Password protection in Azure AD Active Directory. Another option is to look for Azure AD Password Protection towards the top of the page.

Users will be prohibited from establishing forbidden passwords if Enforce is enabled, and the attempt will be recorded.

Enable the Enforce mode. Save the file.

For Windows Server Active Directory, you successfully configured Azure AD Password Protection.

Conclusion

For on-premises Active Directory, you learnt how to setup Azure AD Password Protection. To begin, setup Azure AD Password Protection in Audit mode by following the instructions below. Then, after everything is in place and you’re happy, go from Audit to Enforced mode.

Did you find this article to be interesting? Upgrade Azure AD Connect to V2.0 if you’re interested. Don’t forget to subscribe to our newsletter and share this post.

Related Tags

• azure ad password protection licensing
• azure ad password protection custom banned password list
• azure ad password protection rules
• azure ad password protection dc agent download
• azure ad password protection step by-step