Deploy on-premises Azure Active Directory Password Protection

There are two required installers for an on-premises Azure AD Password Protection deployment:

  • Azure AD Password Protection DC agent (AzureADPasswordProtectionDCAgentSetup.msi)
  • Azure AD Password Protection proxy (AzureADPasswordProtectionProxySetup.exe)

Download both installers from the Microsoft Download Center.

Install the Azure AD Password Protection Proxy Setup on a member server in the domain:

Import the PowerShell module:

Import-Module AzureADPasswordProtection

Check that the Azure AD Password Protection proxy service is running:

Get-Service AzureADPasswordProtectionProxy | fl

Register the Azure AD Password Protection proxy server with Azure AD using the Register-AzureADPasswordProtectionProxy cmdlet

Now register the on-premises Active Directory forest with the necessary credentials to communicate with Azure by using the Register-AzureADPasswordProtectionForest PowerShell cmdlet. The cmdlet requires either Global Administrator or Security Administrator credentials for your Azure tenant. It also requires on-premises Active Directory Enterprise Administrator privileges. You must also run this cmdlet using an account with local administrator privileges.

To install the Azure AD Password Protection DC agent service, run the AzureADPasswordProtectionDCAgentSetup.msi package on the Domain Controller and a reboot will be required.

Now that you’ve installed the services that you need for Azure AD Password Protection on your on-premises servers, enable on-prem Azure AD Password Protection in the Azure portal by going to Azure Active Directory -> Security -> Authentication methods -> Password protection.

When you enable on-premises Azure AD Password Protection, you can use either audit mode or enforce mode. It is recommended that initial deployment and testing always start out in audit mode. Entries in the event log should then be monitored to anticipate whether any existing operational processes would be disturbed once Enforce mode is enabled.

I changed the password protection mode from Audit to Enforced:

This can be seen in the Domain Controller Event ID 30006:

Changing the on-prem password must meet the Azure Password Protection Policy:

Failed password changes show in the Summary Report and Event Logs:

Here is a table of some of the PowerShell Summary Report and corresponding Event ID:

Get-AzureADPasswordProtectionSummaryReport propertyCorresponding event ID
PasswordChangesValidated        10014
PasswordSetsValidated        10015
PasswordChangesRejected        10016
PasswordSetsRejected        10017
PasswordChangeAuditOnlyFailures        10024
PasswordSetAuditOnlyFailures        10025
PasswordChangeErrors        10012
PasswordSetErrors        10013

Leave a Reply

Your email address will not be published.