Hello everyone,
In this article we will learn how to configure and manage “Azure AD Password Protection” in an On-Prem environment.
What is all about “Password Protection” and why is it so important for every organization to use it?
Azure AD Password Protection – This tool knows how to automatically identify and block Active Directory users from using weak passwords or those that are common throughout the network. In addition to this, you can also define yourself a list of passwords that you do not want the organization’s users to be able to use (banned password list).
When you define the “Passwords must meet complexity” policy in your organization’s password policy, users in your organization can still use weak and common passwords such as: “P@ssw0rd”, “Aa123456”, etc. That is why it is so important to use Password Protection and maintain a strong password policy.
Â
Introduction:
As we know the Domain Controller server does not communicate with AZURE directly but is scheduled according to what is defined in the AD-Connect server (which should be installed on a separate server and not on the DC) and so that there is direct access between the Domain Controller to Azure AD we will need to install the service “Azure AD Password Protection Proxy Service”.
All the services of “Azure AD Password Protection” are using the “LOCAL SYSTEM” account.
Â
How this it work:
1. User is required to change password by the Domain Controller.
2. The “DC Agent Password Filter dll” receives from the endpoint the request to change the user’s password and forwards it to the Azure AD Password Protection DC Agent to verify that the password does meet the conditions of the “Azure password policy”.
3. Once an hour the Password Protection agent will pull a new copy of Azure password policy using the proxy service.
Â
Prerequisites:
– In order to start the implementation, please make sure that the operating system of your Domain Controller are on Windows Server 2012R2 or higher.
– .NET Framework 4.7 must be installed on the operating system. and higher and Universal C runtime for Windows.
– Download Azure AD Password Protection through the following link:
https://www.microsoft.com/en-us/download/details.aspx?id=57071%20
Please note that you have downloaded the following two programs:
AzureADPasswordProtectionDCAgentSetup
AzureADPasswordProtectionProxySetup
The Azure AD Password Protection can now be implemented in your organization:
Install the Proxy Service (AzureADPasswordProtectionProxySetup.exe)
Once the installation is complete, install the second software – AzureADPasswordProtectionDCAgentSetup.msi
At the end of the installation process, you will be need to restart the DC server.
We will register the PasswordProtectionProxy against the Azure AD Tenant by running the following command in Powershell from the server on which we installed the PasswordProxy:
Register-AzureADPasswordProtectionProxy -AccountUpn 'admin@<yourtenant>.onmicrosoft.com'
New we need to create another registration between the Forest to Azure AD by running the following Powershell command:
Register-AzureADPasswordProtectionForest -AccountUpn 'admin@<yourtenant>.onmicrosoft.com'Please make sure that you perform the registration with a user who is a member of the Domain Admins group in active directory and has “Global Admin” permission on the Tenant.
Now you can connect to the Azure portal and start managing passwords through the Microsoft cloud:
https://portal.azure.com
All services –> Azure AD Authentication methods –> Password protection
This Article Was Written By Matan Sigavker.
