I already posted a few main details about Azure AD Password Protection, and here is a step-by-step guide how to implement it in your Active Directory.
Before you start, make sure that all the latest Windows updates have been installed and have Global Admin rights in Azure AD and Domain Admin rights in Active Directory.
1. Configure Azure AD
Go to the Azure Portal - Azure Active Directory - Security - Authentication Methods - Password Protection and enable password protection for Windows Active Directory and set the mode to audit.
2. Download the agents
Download the Azure AD DC agent and Azure AD Proxy Service agent, both can be found here
3. Install the Azure AD Proxy Service agent
Run the AzureADPasswordProtectionProxySetup.exe file, accept licence agreement and click install.
Open Powershell as administrator and execute these commands:
- Import-Module AzureADPasswordProtection
- Register-AzureADPasswordProtectionProxy -AccountUpn 'firstname.lastname@example.org'
- Register-AzureADPasswordProtectionForest -AccountUpn 'email@example.com'
- Use this command to check the configuration:
- Get-AzureADPasswordProtectionProxyConfiguration | fl
4. Install the Azure AD DC agent
DC agent installation is as easy as it could be (except that it requires restart) - just run the installation file AzureADPasswordProtectionDCAgentSetup.msi on the domain controller, accept licence agreement and click Install:
Then click Finish and choose if you want to restart immediately:
4. Monitor weak passwords
Once installed you can monitor weak passwords in Event log under Applications and Services Logs - Microsoft - AzureADPasswordProtection - DCAgent - Admin
5. Block weak passwords
When you are ready configure Azure AD Password Protection Enforced mode to block the passwords. See the first step of this guide step .