Update 27th November 2023:
The below information may be a bit dated now, so please refer to the lastest official guide here: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-password-ban-bad-on-premises-deploy
Microsoft have a nice way of preventing the use of bad passwords. Yes, all passwords are bad, but some are worse than others :)
Azure Active Directory Password Protection is a service that looks at password changes and blocks passwords it deems as weak. This could be from checking it’s an easy password to break using a dictionary attack, or other easily guessable variants. It leverages Microsoft online services to do so, which requires some setup and agents installed on the on-premises environment.
Microsoft’s documentation for this is detailed and fairly easy to follow, but I thought I’d do a quick rundown.
Installing the agents:
- There are two agents – the ‘Azure AD Password Protection DC agent’ and the ‘Azure AD Password Protection proxy service’. Both can be downloaded here.
- The ‘Azure AD Password Protection DC agent’ needs to be installed on all Domain Controllers (DCs), but the ‘Azure AD Password Protection proxy service’ only needs to be installed somewhere once. You CAN install it on a Domain Controller, and you can install it on ALL Domain Controllers, but Microsoft highlighted this as a potential security risk allowing any DC internet access. At least two installs of this is recommended for redundancy.
- The ‘Azure AD Password Protection proxy service’ can’t be installed alongside (on the same server) as ‘Azure AD App Proxy Service’ – which is probably the same utility server you’d think of putting this on.
- After installing the ‘Azure AD Password Protection proxy service’ you’ll need to run a few PowerShell commands to register it with global admin rights – you don’t need to create a service account for this, it’s just a one time registration process.
The commands are:
Register-AzureADPasswordProtectionProxy -AccountUpn ‘[email protected]’
(run this on each install)
Register-AzureADPasswordProtectionForest -AccountUpn ‘[email protected]’
(run this after the first install only)
- Installing the ‘Azure AD Password Protection DC agent’ is easier again, but will need a reboot of the DC to start working.
- Both clients automatically update themselves.
Configuring in Azure Active Directory
- You’ll need to enable on-premises Azure Active Directory Password Protection on the Azure AD portal – that link should take you right to ‘Password Protection’ but it’s located under Azure Active Directory > Security > Authentication methods > Password protection.
- Start with ‘Audit mode’ rather than ‘Enforced Mode’ so you can get an idea of how many users might get affected by this change, and allow you to communicate this out before forcing.
- You can also add custom banned passwords which might include your company name and common terms in your business and industry, to ensure easily guessed passwords aren’t used.
Once set up, you can either read through the logs on a DC, or run this PowerShell command on each DC to see the results.:
You’ll need to either wait for users to change their passwords, or do some yourself and work out which DC the changes were done against. These stats will give you an idea of how many ‘failures’ were audited, so you can decide how much of a user impact enforcing the policy will be.
You could of course ship these event viewer logs to a central repository, but the service should just do it’s thing and just block users from setting a new password that’s really bad.