Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2019-10-20) Azure AD Password Protection (A.k.a. Banned Password List) – The Configuration (Part 2)

Posted by Jorge on 2019-10-20


The concept of Azure AD Password Protection is very simple but yet so effective. With regards to simplicity, it also applies to its configuration. No configuration is required on-premises except deploying software and making sure the components can communicate with each other and with Azure AD (proxy service only!). The complete configuration of this interesting feature is completely done in Azure AD.

To access its configuration:

  • Navigate to the Azure AD Portal (https://portal.azure.com/) or use the Azure AD Portal app
  • Login with an admin account that has the Global Administrator role
  • In the first left pane click on “Azure Active Directory”
  • In the second pane from the left click on “Security”
  • In the second pane from the left click on “Authentication Methods”
  • In the second pane from the left click on “Password Protection”

You should now see something similar to the following

image

Figure 1: The Azure AD Password Protection Configuration Page

The “Custom Smart Lockout” settings only apply Azure AD native authN, not for on-premises authN as AD policies (GPO or PSO and PSO) govern that part. The settings that govern Azure AD Password Protection are in the section “Custom Banned Password”. These settings apply to both native Azure AD authN and on-premises authN.

“Enforce Custom List”: this tells Azure AD to also use the custom per tenant list in addition to the global Microsoft list

“Custom Banned Password List”: if the previous settings has been configured with “YES”, you will be able to define a custom per tenant list. Remember: word length 4 or more and 16 or less characters, with a maximum of 1000 words

If you want to use Azure AD Password Protection for the on-premises Active Directory, you need to configured the settings in the section “Password Protection For Windows Server Active Directory”.

“Enable Password Protection On Windows Server Active Directory”: enable or disable Azure AD Password Protection for the on-premises Active Directory

“Mode”: Configure Azure AD Password Protection for the on-premises Active Directory in either “Audit Mode” or “Enforce Mode’

In a later blog post, I’ll describe more about optimizing the custom list of banned words and moving from “Audit Mode” to “Enforce Mode”.

As soon as you change anything in the Azure AD, the on-premises DCs need to consume that new configuration. Unfortunately that may take some hours. To speed up the consumption of the configuration, restart the “Azure AD Password Protection DC Agent” service on a DC in each AD domain that is able to communicate with the Azure AD Password Protection Proxy service. The Azure AD Password Protection DC Agent on that DC will fetch the new configuration from Azure AD through the Azure AD Password Protection Proxy Service and put it on the SYSVOL (“<SYSVOL Path>\domain\AzureADPasswordProtection”, was previously “<SYSVOL Path>\domain\Policies\{4A9AB66B-4365-4C2A-996C-58ED9927332D}\AzureADPasswordProtection”, changed with version 1.2.65.0) of the AD domain the DC belongs to. The needs settings then need to be replicated through the SYSVOL every other DC in the same AD domain and be consumed by every individual DC. Every DC will log event ID 30006 in the “Microsoft-AzureADPasswordProtection-DCAgent/Admin” Event Log. If you need to measure the convergence of your SYSVOL, check out the following blog post: (2014-02-17) Testing SYSVOL Replication Latency/Convergence Through PowerShell (Update 3).

clip_image001

Figure 2: A New Azure AD Password Protection Configuration Being Consumed By The DC

The service is now enforcing the following Azure password policy.

Enabled: 1

AuditOnly: 1

Global policy date: ‎2019‎-‎07‎-‎04T00:00:00.000000000Z

Tenant policy date: ‎2019‎-‎08‎-‎08T09:54:22.682255000Z

Enforce tenant policy: 1

Enabled: 1 <—Corresponds to the setting “Enable Password Protection On Windows Server Active Directory” in Azure AD

AuditOnly: 1 <— Corresponds to the setting “Mode” in Azure AD

Global policy date: ‎2019‎-‎07‎-‎04T00:00:00.000000000Z <— Correspond to the last date/time Microsoft updated their global list

Tenant policy date: ‎2019‎-‎08‎-‎08T09:54:22.682255000Z <— Corresponds to the last date/time you updated your per tenant configuration (not just the list of words)

Enforce tenant policy: 1 <— Corresponds to the setting “Enforce Custom List” in Azure AD

Have fun!

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

 
%d bloggers like this: