Search This Blog

Monday, February 3, 2020

Step-by-step: Prevent weak passwords in Active Directory using Azure AD Password Protection

Hello guys,

I already posted a few main details about Azure AD Password Protection, and here is a step-by-step guide how to implement it in your Active Directory.
Before you start, make sure that all the latest Windows updates have been installed and have Global Admin rights in Azure AD and Domain Admin rights in Active Directory.

1. Configure Azure AD

Go to the Azure Portal - Azure Active Directory - Security - Authentication Methods - Password Protection and enable password protection for Windows Active Directory and set the mode to audit.

2. Download the agents

Download the Azure AD DC agent and Azure AD Proxy Service agent, both can be found here

3. Install the Azure AD Proxy Service agent

Run the AzureADPasswordProtectionProxySetup.exe file, accept licence agreement and click install.

Open Powershell as administrator and execute these commands:

  1. Import-Module AzureADPasswordProtection
  2. Register-AzureADPasswordProtectionProxy -AccountUpn ''
  3. Register-AzureADPasswordProtectionForest -AccountUpn ''
  4. Use this command to check the configuration: 
  5. Get-AzureADPasswordProtectionProxyConfiguration | fl

4. Install the Azure AD DC agent

DC agent installation is as easy as it could be (except that it requires restart) - just run the installation file AzureADPasswordProtectionDCAgentSetup.msi on the domain controller, accept licence agreement and click Install:

Then click Finish and choose if you want to restart immediately:

4. Monitor weak passwords

Once installed you can monitor weak passwords in Event log under Applications and Services Logs - Microsoft - AzureADPasswordProtection - DCAgent - Admin

5. Block weak passwords

When you are ready configure Azure AD Password Protection Enforced mode to block the passwords. See the first step of this guide step .

No comments:

Post a Comment