How to Protect Passwords with an Azure AD Password Policy

choubertsprojects

VPN offers!

1. NordVPN

2. Surfshark

3. ExpressVPN

Azure Active Directory (Azure AD) is the identity and access management service for users within Microsoft Cloud Services. It provides a single point of authentication to all your services, including Office 365, Azure and more. With an Azure AD password policy you can create custom passwords that are hard-to-guess but easy to remember.,
Topic: How do I migrate my Outlook PST file into Gmail?
Category: Technology
Introduction: If you’re running Windows 10 or 8/8.1 there’s no need to actually download Outlook Express in order to use it with Google Apps; however if you’re still hanging onto XP or Vista then this will be necessary for some migration options.,

The “azure ad password protection custom banned password list” is a feature in Azure AD that allows you to create a list of banned passwords. This list can be used to protect your company’s users from brute-force attacks on their accounts.

How to Protect Passwords with an Azure AD Password Policy

Users may be educated about the need of strong passwords, but they’ll still choose the easiest option: weak passwords. Fortunately, you can utilize Azure AD Password Protection to prevent users from generating weak passwords.

Learn how to activate and setup Azure AD Password Protection for your Azure AD tenancy and on-premises AD in this post. Also, find out what Azure AD Password Protection can achieve for you and what its restrictions are.

Is the Azure Active Directory Password Protection function sufficient, or is there anything better? Continue reading to find out!

Specops Software has generously sponsored this content.

Prerequisites

If you want to follow along with this lesson, make sure you have the following prerequisites.

  • Azure AD Connect connects on-premises Active Directory (AD) to Azure Active Directory.

How to Use Azure AD Connect to Connect Azure AD to Office 365

  • The Azure AD Password Protection DC Agent will be installed on a domain controller (DC). A DC titled phdc3.lzex.ml will be used in this lesson.
  • To install the Azure AD Password Protection Proxy Service, you’ll need a member server with internet connectivity. This tutorial will use phprxy1.lzex.ml as a member server.
  • Wherever possible, your servers must have the Universal C Runtime installed.
  • In Azure AD, you have the Global Administrator account role.
  • On your on-premises AD, you have domain administrator credentials.
  • The Azure AD Password Protection program is available for download through the Microsoft Download Center. Copy the AzureADPasswordProtectionProxySetup.msi and AzureADPasswordProtectionDCAgentSetup.msi files to the member server and the DC, respectively.

The Azure AD Password Protection Proxy Service is installed and configured.

The Azure AD Password Protection Proxy Service is the first of Azure AD Password Protection’s two components. The function of the Azure AD Password Protection Proxy Service is to connect with Azure AD and keep a copy of the global and custom prohibited password lists.

Follow the steps below to set up the Azure AD Password Protection Proxy Service.

1. Go to the member server and log in.

2. Find the AzureADPasswordProtectionProxySetup.msi installer you downloaded and execute it.

3. Check the I accept the conditions in the License Agreement box and click Install on the Azure AD Password Protection Proxy Setup page.

Accept the terms of the license.Accept the terms of the license.

4. When the installation is finished, click Finish.

Installation completionInstallation completion

5. Verify that the AzureADPasswordProtectionProxy service is up and working after the installation. Open PowerShell as an administrator and perform the command below.

Format-List | Get-Service AzureADPasswordProtectionProxy

The AzureADPasswordProtectionProxy service is seen in the picture below.

Viewing the status of the AzureADPasswordProtectionProxy serviceViewing the status of the AzureADPasswordProtectionProxy service

6. Now that the AzureADPasswordProtectionProxy service has been deployed and validated, you must register the proxy with Azure AD. Run the Register-AzureADPasswordProtectionProxy command in PowerShell to register the proxy service.

Make sure the -AccountUpn option corresponds to the Azure AD account with the Global admin role. This command will request you to interactively input the account credentials.

Register-AzureADPasswordProtectionProxy -AccountUpn <UPN>

7. To register your on-premises AD forest with Azure AD, use the Register-AzureADPasswordProtectionForest command. The -AccountUpn option, like the last command, should be the Global admin account.

Register-AzureADPasswordProtectionForest -AccountUpn <UPN>

The Azure AD Password Protection DC Agent is installed.

The Azure AD Password Protection DC Agent is the last component to set up. This agent is in charge of obtaining the password policy from Azure AD through the Azure AD Password Protection service, as well as applying the filtering during password updates.

To install the Azure AD Password Protection DC Agent, follow the steps below.

1. Go to the domain controller and log in.

2. Find the AzureADPasswordProtectionDCAgentSetup.msi installer you downloaded and execute it.

3. Check the I accept the conditions in the License Agreement box and click Install on the Azure AD Password Protection DC Agent Setup page.

Accept the licensing agreement for the Azure AD Password Protection DC Agent.Accept the licensing agreement for the Azure AD Password Protection DC Agent.

4. When the installation is finished, click Finish.

Finished installing the Azure AD Password Protection DC AgentFinished installing the Azure AD Password Protection DC Agent

5. The Azure AD Password Protection DC Agent installation necessitates a server restart. To confirm, click Yes.

The domain controller is being rebooted.The domain controller is being rebooted.

The Azure AD Password Protection DC Agent does not need any further settings. The DC agent starts downloading the Azure AD password policy after the restart, and it does so every hour after that.

In the Azure Portal, configure the Azure AD Password Protection Settings

The next step is to setup the password protection settings in Azure AD after installing and configuring Azure AD Password Protection on your on-premises servers. The Azure AD Password Protection is set on Audit mode by default, which means that the prohibited passwords list is not enforced.

Follow these steps to activate and configure Azure AD Password Protection.

1. Open the Azure Active Directory admin center and log in.

2. Next, click Azure Active Directory —> Security —> Authentication methods —> Password protection.

Changing the password security settings in Azure ADChanging the password security settings in Azure AD

3. Set the Lockout Threshold to its default setting. This option specifies how many unsuccessful attempts a user must make before their account is locked.

Set the Lockout duration in seconds to the default value. This number determines how long the user is locked out before attempting another login.

Customized lockout optionsCustomized lockout options

Set the Enforce custom list to Yes under the Custom prohibited passwords section.

In the Custom prohibited password list box, type one or more custom passwords you wish to prohibit.

The custom prohibited password list may have up to 1000 entries, is case-insensitive, and takes frequent character replacements into account (for example, “[email protected]” is also “password”).

Setting up the custom password ban listSetting up the custom password ban list

Set the Enable password protection on Windows Server Active Directory to Yes and the Mode to Enforced under the Password protection for Windows Server Active Directory section.

Password security for on-premise AD is enabled.Password security for on-premise AD is enabled.

6. Finally, at the top of the screen, click Preserve to save your changes.

The password protection settings are saved.The password protection settings are saved.

Checking the Status of Azure AD Password Protection

In Azure AD, the updated password security setup takes effect practically instantly. However, the new setup of your on-premises AD may take at least an hour. The DC agent’s typical update frequency is one hour, which causes this delay.

To validate and force the Azure AD Password Protection policy enforcement, follow these steps.

1. Check the Azure AD password protection policy status by retrieving the most recent event ID 30006 on the DC.

Where-Object

Users may be educated about the need of strong passwords, but they’ll still choose the easiest option: weak passwords. Fortunately, you can utilize Azure AD Password Protection to prevent users from generating weak passwords.

Learn how to activate and setup Azure AD Password Protection for your Azure AD tenancy and on-premises AD in this post. Also, find out what Azure AD Password Protection can achieve for you and what its restrictions are.

Is the Azure Active Directory Password Protection function sufficient, or is there anything better? Continue reading to find out!

Specops Software has generously sponsored this content.

Prerequisites

If you want to follow along with this lesson, make sure you have the following prerequisites.

  • Azure AD Connect connects on-premises Active Directory (AD) to Azure Active Directory.

How to Use Azure AD Connect to Connect Azure AD to Office 365

  • The Azure AD Password Protection DC Agent will be installed on a domain controller (DC). A DC titled phdc3.lzex.ml will be used in this lesson.
  • To install the Azure AD Password Protection Proxy Service, you’ll need a member server with internet connectivity. This tutorial will use phprxy1.lzex.ml as a member server.
  • Wherever possible, your servers must have the Universal C Runtime installed.
  • In Azure AD, you have the Global Administrator account role.
  • On your on-premises AD, you have domain administrator credentials.
  • The Azure AD Password Protection program is available for download through the Microsoft Download Center. Copy the AzureADPasswordProtectionProxySetup.msi and AzureADPasswordProtectionDCAgentSetup.msi files to the member server and the DC, respectively.

The Azure AD Password Protection Proxy Service is installed and configured.

The Azure AD Password Protection Proxy Service is the first of Azure AD Password Protection’s two components. The function of the Azure AD Password Protection Proxy Service is to connect with Azure AD and keep a copy of the global and custom prohibited password lists.

Follow the steps below to set up the Azure AD Password Protection Proxy Service.

1. Go to the member server and log in.

2. Find the AzureADPasswordProtectionProxySetup.msi installer you downloaded and execute it.

3. Check the I accept the conditions in the License Agreement box and click Install on the Azure AD Password Protection Proxy Setup page.

Accept the terms of the license.Accept the terms of the license.

4. When the installation is finished, click Finish.

Installation completionInstallation completion

5. Verify that the AzureADPasswordProtectionProxy service is up and working after the installation. Open PowerShell as an administrator and perform the command below.

Format-List | Get-Service AzureADPasswordProtectionProxy

The AzureADPasswordProtectionProxy service is seen in the picture below.

Viewing the status of the AzureADPasswordProtectionProxy serviceViewing the status of the AzureADPasswordProtectionProxy service

6. Now that the AzureADPasswordProtectionProxy service has been deployed and validated, you must register the proxy with Azure AD. Run the Register-AzureADPasswordProtectionProxy command in PowerShell to register the proxy service.

Make sure the -AccountUpn option corresponds to the Azure AD account with the Global admin role. This command will request you to interactively input the account credentials.

Register-AzureADPasswordProtectionProxy -AccountUpn <UPN>

7. To register your on-premises AD forest with Azure AD, use the Register-AzureADPasswordProtectionForest command. The -AccountUpn option, like the last command, should be the Global admin account.

Register-AzureADPasswordProtectionForest -AccountUpn <UPN>

The Azure AD Password Protection DC Agent is installed.

The Azure AD Password Protection DC Agent is the last component to set up. This agent is in charge of obtaining the password policy from Azure AD through the Azure AD Password Protection service, as well as applying the filtering during password updates.

To install the Azure AD Password Protection DC Agent, follow the steps below.

1. Go to the domain controller and log in.

2. Find the AzureADPasswordProtectionDCAgentSetup.msi installer you downloaded and execute it.

3. Check the I accept the conditions in the License Agreement box and click Install on the Azure AD Password Protection DC Agent Setup page.

Accept the licensing agreement for the Azure AD Password Protection DC Agent.Accept the licensing agreement for the Azure AD Password Protection DC Agent.

4. When the installation is finished, click Finish.

Finished installing the Azure AD Password Protection DC AgentFinished installing the Azure AD Password Protection DC Agent

5. The Azure AD Password Protection DC Agent installation necessitates a server restart. To confirm, click Yes.

The domain controller is being rebooted.The domain controller is being rebooted.

The Azure AD Password Protection DC Agent does not need any further settings. The DC agent starts downloading the Azure AD password policy after the restart, and it does so every hour after that.

In the Azure Portal, configure the Azure AD Password Protection Settings

The next step is to setup the password protection settings in Azure AD after installing and configuring Azure AD Password Protection on your on-premises servers. The Azure AD Password Protection is set on Audit mode by default, which means that the prohibited passwords list is not enforced.

Follow these steps to activate and configure Azure AD Password Protection.

1. Open the Azure Active Directory admin center and log in.

2. Next, click Azure Active Directory —> Security —> Authentication methods —> Password protection.

Changing the password security settings in Azure ADChanging the password security settings in Azure AD

3. Set the Lockout Threshold to its default setting. This option specifies how many unsuccessful attempts a user must make before their account is locked.

Set the Lockout duration in seconds to the default value. This number determines how long the user is locked out before attempting another login.

Customized lockout optionsCustomized lockout options

Set the Enforce custom list to Yes under the Custom prohibited passwords section.

In the Custom prohibited password list box, type one or more custom passwords you wish to prohibit.

The custom prohibited password list may have up to 1000 entries, is case-insensitive, and takes frequent character replacements into account (for example, “[email protected]” is also “password”).

Setting up the custom password ban listSetting up the custom password ban list

Set the Enable password protection on Windows Server Active Directory to Yes and the Mode to Enforced under the Password protection for Windows Server Active Directory section.

Password security for on-premise AD is enabled.Password security for on-premise AD is enabled.

6. Finally, at the top of the screen, click Preserve to save your changes.

The password protection settings are saved.The password protection settings are saved.

Checking the Status of Azure AD Password Protection

In Azure AD, the updated password security setup takes effect practically instantly. However, the new setup of your on-premises AD may take at least an hour. The DC agent’s typical update frequency is one hour, which causes this delay.

To validate and force the Azure AD Password Protection policy enforcement, follow these steps.

1. Check the Azure AD password protection policy status by retrieving the most recent event ID 30006 on the DC.

Get-WinEvent -LogName ‘Microsoft-AzureADPasswordProtection-DCAgent/Admin’ | Where-Object {$_.Id -eq 30006} | Select -First 1 | Format-List

The Azure AD password policy status is enabled (Enabled: 1), but only in audit mode, as seen below (AuditOnly: 1).

Confirming the status of the Azure AD Password Protection policyConfirming the status of the Azure AD Password Protection policy

2. Restart the AzureADPasswordProtectionDCAgent service on the domain controller to trigger the Azure AD password protection policy change. This step will refresh the DC agent filters and use the proxy service to get the newest Azure AD password policy.

AzureADPasswordProtectionDCAgent -Restart

3. Re-run the event lookup command in step 1 after restarting the AzureADPasswordProtectionDCAgent service. This time, the value AuditOnly: 0 should be present, indicating that the Azure AD password protection policy mode is now Enforced.

The Azure Active Directory password policy is enforced.The Azure Active Directory password policy is enforced.

The Azure AD Password Protection Policy is being tested.

Now you must test the Azure AD Password security to ensure that everything you have done so far has worked. When changing passwords, there are two approaches to test and replicate the User Interface.

Password Change in Windows is being tested.

1. On your domain-joined Windows computer, press CTRL+ALT+DEL (or CTRL+ALT+END if you’re on an RDP connection) and choose Change Password to change your password.

Changing your password for the first timeChanging your password for the first time

2. Enter your old password as well as your new password. The new password should be the one you put to the password policy as a prohibited password. The password in this case is [email protected].

Password modificationPassword modification

3. You should then get a warning that says “The password could not be changed..” The new password value given does not fulfill the domain’s length, complexity, or history criteria.”

The password could not be changed.The password could not be changed.

Password Change using Azure AD is being tested.

Open a browser, go to the Azure AD password change page, and login in using your existing username and password.

Signing in to Azure Active DirectorySigning in to Azure Active Directory

In the Old password field on the Change password form, input the old password. Then, in the Create new password and Confirm new password boxes, input the new password and click Submit.

Changing your password is simple.Changing your password is simple.

You’ll see the error notice “Unfortunately, you can’t use that password because it includes words or characters that have been forbidden by your administrator.” since you used a banned password as the new password. Please use a new password next time.”

Error changing passwordError changing password

Specops Password Policy for Password Security

Adding Azure AD Password Protection to your on-premises Active Directory domains is a big step in making your passwords more secure. However, a deeper examination reveals that it lacks certain crucial functions and offers limited customization choices.

User Interface

Changing to a forbidden password, for example, results in a generic notice like the one below. Users would have no idea why their efforts to change passwords failed. The message cannot be customized by admins. This situation may result in an increase in service desk calls.

“The password could not be changed.” The new password value given does not fulfill the domain’s length, complexity, or history criteria.”

On the other hand, Specops Password Policy (SPP) significantly improves User Interface. Users see the dynamic evaluation of the password against the existing policy. This way, users understand what they need to submit a compliant password successfully. No more guessing.

Changes to the Specops Password Policy passwordChanges to the Specops Password Policy password

Long List of Breached Passwords

Using hacked or known compromised password lists is one of the regulatory and industry-standard recommendations, according to NIST and NCSC. With Azure AD Password Protection, Microsoft’s prohibited password list does not employ such lists.

Specops Password Policy gives you access to a database of over two billion hacked passwords and real-world password assaults.

Customized Password Banned List

Microsoft’s Customized Password Banned List has a 1000 entry limit. Perhaps this limit is more than enough for some organizations, but larger organizations can quickly reach this limit. Moreover, each entry is limited to a minimum of 4 characters long.

The custom dictionary in Specops Password Policy has no arbitrary restriction on the amount of entries you can create, and they may be of any length. Your prohibited password list may increase over time, and you won’t be concerned about creating room for more.

Conclusion

Azure AD Password Protection prevents your company from using weak passwords. However, the lack of customization possibilities and the failure to use industry-standard and third-party broken password databases might be a problem, leading to increased password incident response efforts.

Specops Password Policy, on the other hand, addresses these difficulties and provides more advantages than Azure AD Password Protection. SPP may effectively replace Azure AD Password Protection and safeguard passwords on your on-prem or hybrid Azure AD environment after you apply it.

Related: How to Use Specops Password Policy to Secure Passwords

.Id -eq 30006 | Select -First 1 | Format-List Get-WinEvent -LogName ‘Microsoft-AzureADPasswordProtection-DCAgent/Admin’

The Azure AD password policy status is enabled (Enabled: 1), but only in audit mode, as seen below (AuditOnly: 1).

Confirming the status of the Azure AD Password Protection policyConfirming the status of the Azure AD Password Protection policy

2. Restart the AzureADPasswordProtectionDCAgent service on the domain controller to trigger the Azure AD password protection policy change. This step will refresh the DC agent filters and use the proxy service to get the newest Azure AD password policy.

AzureADPasswordProtectionDCAgent -Restart

3. Re-run the event lookup command in step 1 after restarting the AzureADPasswordProtectionDCAgent service. This time, the value AuditOnly: 0 should be present, indicating that the Azure AD password protection policy mode is now Enforced.

The Azure Active Directory password policy is enforced.The Azure Active Directory password policy is enforced.

The Azure AD Password Protection Policy is being tested.

Now you must test the Azure AD Password security to ensure that everything you have done so far has worked. When changing passwords, there are two approaches to test and replicate the User Interface.

Password Change in Windows is being tested.

1. On your domain-joined Windows computer, press CTRL+ALT+DEL (or CTRL+ALT+END if you’re on an RDP connection) and choose Change Password to change your password.

Changing your password for the first timeChanging your password for the first time

2. Enter your old password as well as your new password. The new password should be the one you put to the password policy as a prohibited password. The password in this case is [email protected].

Password modificationPassword modification

3. You should then get a warning that says “The password could not be changed..” The new password value given does not fulfill the domain’s length, complexity, or history criteria.”

The password could not be changed.The password could not be changed.

Password Change using Azure AD is being tested.

Open a browser, go to the Azure AD password change page, and login in using your existing username and password.

Signing in to Azure Active DirectorySigning in to Azure Active Directory

In the Old password field on the Change password form, input the old password. Then, in the Create new password and Confirm new password boxes, input the new password and click Submit.

Changing your password is simple.Changing your password is simple.

You’ll see the error notice “Unfortunately, you can’t use that password because it includes words or characters that have been forbidden by your administrator.” since you used a banned password as the new password. Please use a new password next time.”

Error changing passwordError changing password

Specops Password Policy for Password Security

Adding Azure AD Password Protection to your on-premises Active Directory domains is a big step in making your passwords more secure. However, a deeper examination reveals that it lacks certain crucial functions and offers limited customization choices.

User Interface

Changing to a forbidden password, for example, results in a generic notice like the one below. Users would have no idea why their efforts to change passwords failed. The message cannot be customized by admins. This situation may result in an increase in service desk calls.

“The password could not be changed.” The new password value given does not fulfill the domain’s length, complexity, or history criteria.”

On the other hand, Specops Password Policy (SPP) significantly improves User Interface. Users see the dynamic evaluation of the password against the existing policy. This way, users understand what they need to submit a compliant password successfully. No more guessing.

Changes to the Specops Password Policy passwordChanges to the Specops Password Policy password

Long List of Breached Passwords

Using hacked or known compromised password lists is one of the regulatory and industry-standard recommendations, according to NIST and NCSC. With Azure AD Password Protection, Microsoft’s prohibited password list does not employ such lists.

Specops Password Policy gives you access to a database of over two billion hacked passwords and real-world password assaults.

Customized Password Banned List

Microsoft’s Customized Password Banned List has a 1000 entry limit. Perhaps this limit is more than enough for some organizations, but larger organizations can quickly reach this limit. Moreover, each entry is limited to a minimum of 4 characters long.

The custom dictionary in Specops Password Policy has no arbitrary restriction on the amount of entries you can create, and they may be of any length. Your prohibited password list may increase over time, and you won’t be concerned about creating room for more.

Conclusion

Azure AD Password Protection prevents your company from using weak passwords. However, the lack of customization possibilities and the failure to use industry-standard and third-party broken password databases might be a problem, leading to increased password incident response efforts.

Specops Password Policy, on the other hand, addresses these difficulties and provides more advantages than Azure AD Password Protection. SPP may effectively replace Azure AD Password Protection and safeguard passwords on your on-prem or hybrid Azure AD environment after you apply it.

Related: How to Use Specops Password Policy to Secure Passwords

The “azure ad password protection licensing” is a feature that allows you to protect your passwords in Azure AD. You can use this feature to create an Azure AD Password Policy, which will help protect your users’ credentials from being compromised.

Related Tags

  • azure ad password policy minimum length
  • azure ad password protection agent
  • azure ad password protection step by-step
  • active directory custom banned password list
  • azure ad password protection proxy