Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2018-10-26) Running The Azure AD Password Protection Summary Report May Generate An Error

Posted by Jorge on 2018-10-26


When on one of the Azure AD Password Protection Proxy servers, you can generate an Azure AD Password Protection Summary report through one of the following commands:

Targeting a specific DC:

Get-AzureADPasswordProtectionSummaryReport -DomainController <RWDC FQDN>

Targeting all DCs in a specific AD Domain:

Get-AzureADPasswordProtectionSummaryReport -Domain <AD DOMAIN FQDN>

Targeting all DCs in a specific AD Forest:

Get-AzureADPasswordProtectionSummaryReport -Forest <AD FOREST FQDN>

Targeting all DCs in the local AD Forest:

Get-AzureADPasswordProtectionSummaryReport

So, whatever your targeted scope is, if all DCs have have the Azure AD Password Protection DC Agent installed, they will also have the corresponding event logs, which are:

Get-WinEvent -ListLog * | ?{$_.LogName -like "*AzureADPasswordProtection*"}

image

Figure 1: All The Azure AD Password Protection DC Agent Event Logs On An RWDC

….and for completeness on the Azure AD Password Protection Proxy servers

Get-WinEvent -ListLog * | ?{$_.LogName -like "*AzureADPasswordProtection*"}

image

Figure 2: All The Azure AD Password Protection Proxy Event Logs On The Proxy Servers

However, if you see errors similar to the one below…

image

Figure 2: Error When Generating The Azure AD Password Protection Summary Report Against Targeted DCs

…then the targeted event logs are missing. And of the events logs are missing, then the Azure AD Password Protection DC Agent is most likely not installed on the RWDC.

Solution? Install the Azure AD Password Protection DC Agent on the RWDC that throws the error.

Please be aware that querying for DCs that have the Service Connection Point (SCP) registered in AD, may not be accurate. Why? If you installed the Azure AD Password Protection DC Agent and then uninstall it, for whatever reason, the SCP for that RWDC is not cleaned during the uninstall. Also be aware that if you force removed any DC and did not clean up its metadata, you will be trying to reach an RWDC that does not exist anymore when running the summary report.

Although more intense, the most accurate way is checking for any of the following:

  • If the Azure AD Password Protection DC Agent is installed (against every RWDC –> Get-WmiObject -Class win32_product -Filter "Name like ‘Azure AD Password Protection DC Agent’")
  • If the Azure AD Password Protection DC Agent service is installed (against every RWDC –> Get-Service AzureADPasswordProtectionDCAgent)
  • If the Azure AD Password Protection DC Agent is installed (against every RWDC –> Get-WinEvent -ListLog * | ?{$_.LogName -like "*AzureADPasswordProtection*"})

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

 
%d bloggers like this: