Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2019-10-22) Azure AD Password Protection (A.k.a. Banned Password List) – Deploy The Proxy Service (Part 3)

Posted by Jorge on 2019-10-22


As it is not desirable to have DCs communicate directly with anything on the internet, the Azure AD Password Protection solution provides a Azure AD Password Protection Proxy Service that acts as an intermediate between the Azure AD Password Protection DC Agents on the DCs and Azure AD. Per AD forest you can implement 2 servers with the Azure AD Password Protection Proxy Service installed.

To install the Azure AD Password Protection Proxy Service, you can use the PowerShell script which will configure use a log file and some nice output. For additional requirements, please see Azure AD Password Protection – Deployment Requirements.

To download the latest version: Azure AD Password Protection for Windows Server Active Directory

To read about the version history and release notes: Azure AD Password Protection agent version history

.\AAD-Password-Protection-Install-Proxy-Service.ps1 –servers <FQDN Server 1>,<FQDN Server 2> -installSourceFullPath "<Full Path To AzureADPasswordProtectionProxySetup.exe>"

image

Figure 1: Installing The Azure AD Password protection Proxy Service

image

Figure 2: GridView Output

image

Figure 3: Installation Log File Sample

You can download the script from here

Just before version 1.2.116.0 Azure AD Password Protection Proxy Service software was an MSI and starting with that version it is an EXE. That’s why the code above supports both.

With version 1.2.116.0 and higher the Azure AD Password Protection Proxy Service software supports automatic upgrade, which is enabled by default.

image

Figure 2: Checking The Azure AD Password Protection Proxy Service Configuration

To disable automatic upgrade, you can use the following command:

Set-AzureADPasswordProtectionProxyConfiguration -AutoUpgradeEnabled $false

… and to enable it again:

Set-AzureADPasswordProtectionProxyConfiguration -AutoUpgradeEnabled $true

If auto upgrade is disabled, the Azure AD Password Protection Proxy Service will log an event ID 20002 in the Azure AD Password Protection Proxy Service Operational Event Log mentioning there is a newer version available. With auto upgrade enabled, nothing is logged about a newer version.

After installing the Azure AD Password Protection Proxy Service for the first time or after installing version 1.2.116.0 or higher, you need to (re-)register both the Azure AD Password Protection Proxy Service and the on-premises AD forest in Azure AD.

To register the Azure AD Password Protection Proxy Service in Azure AD:

$adAdminAccount = Get-Credential

$aadAdminAccount = Get-Credential

Register-AzureADPasswordProtectionProxy -ForestCredential $adAdminAccount -AzureCredential $aadAdminAccount

If you are already logged on with an Enterprise Admin account for AD, then register the Azure AD Password Protection Proxy Service in Azure AD as follows:

$aadAdminAccount = Get-Credential

Register-AzureADPasswordProtectionProxy -AzureCredential $aadAdminAccount

To register the on-premises AD forest in Azure AD:

$adAdminAccount = Get-Credential

$aadAdminAccount = Get-Credential

Register-AzureADPasswordProtectionForest -ForestCredential $adAdminAccount -AzureCredential $aadAdminAccount

If you are already logged on with an Enterprise Admin account for AD, then register the on-premises AD forest in Azure AD as follows:

$aadAdminAccount = Get-Credential

Register-AzureADPasswordProtectionForest -AzureCredential $aadAdminAccount

And if you require to UNinstall the Azure AD Password Protection Proxy Service, then you can use the following

WMIC PRODUCT WHERE NAME="Azure AD Password Protection Proxy" CALL UNINSTALL

OR

$product = Get-WmiObject -Class win32_product -Filter "Name like ‘Azure AD Password Protection Proxy’"

$product

$product.Uninstall() # WARNING: Reboot is immediate, no mercy and no questions asked!!!

Have fun!

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

 
%d bloggers like this: