The good news is that Active Directory can be integrated with Azure AD Password Protection feature.
I will be posting a step-by-step guide how to configure integration between AD and Azure AD Password Protection in near future, but for now here is a brief overview:
- You need Azure AD Premium P1 or P2 licences to use Azure AD Password Protection in your on-prem AD.
- There is a DC agent, which needs to be installed on every domain controller.
- There is a Proxy agent which needs to be installed on member server that has access to internet.
- DC agent talks to Proxy agent over RPC.
- Proxy agent connects to Azure AD Password Protection service over HTTPS.
- Azure AD Password Protection can be enabled in audit mode.
- Azure AD Password Protection banned password dictionary does not contain localized (non-English) words at this time.
- You can add your custom banned-word list.
- Custom words do not have to exact match, they can be part of password. For example, if you add "justforadmins" to the banned list, then "justforadmins123" will also be denied.
- Blocked passwords change attempts are logged in the domain controllers event log, there are different events if restriction comes from global blocklist or your custom blocklist.
- Azure AD Password Protection is not a real-time feature, it updates once in an hour. So, if you add your custom banned password, then this change will be updated to domain controllers in an hour or so.
If you do have any questions, feel free to comment.