Search
StarWind is a hyperconverged (HCI) vendor with focus on Enterprise ROBO, SMB & Edge

Azure AD Protection to enhance your password policy

  • June 2, 2020
  • 7 min read
Cloud and Virtualization Architect. Florent is specializing in public, hybrid, and private cloud technologies. He is a Microsoft MVP in Cloud and Datacenter Management and an MCSE in Private Cloud.
Cloud and Virtualization Architect. Florent is specializing in public, hybrid, and private cloud technologies. He is a Microsoft MVP in Cloud and Datacenter Management and an MCSE in Private Cloud.


As we often hear, “Security is not an option”. It’s why, today, I propose you to monitor weak password, On-Premises and in the cloud.

Weak password On-Premises

The documentation is available here: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-on-premises

To start, download the 2 software, available here: https://www.microsoft.com/download/details.aspx?id=57071

Install the Azure AD Password Protection proxy on a server, On-Premises, who is member of the Active Directory. This proxy will communicate directly to Azure AD:

Azure AD

Active Directory

Verify that the service is running fine:

Verify that the service is running fine

Now, we need to register our proxy, with our Azure AD, with the following command. It will ask you for the password and MFA. This account must be Global Admin of the Azure AD:

password and MFA

It’s time to register our AD forest with the following command. The account that executes the command on PowerShell must be at least, Enterprise Administrator:

AD forest

Now it’s time to install the agent on Domain Controllers. Copy the binary on each DC, and execute the following command. It’s important to restart the Domain Controller to load correct DLLs:

The next step is to activate the On-Premises Password protection on the Azure console. Navigate to the Azure Portal, go to Azure Active Directory > Security > Authentication methods > Password protection:

Activate the On-Premises Password protection

Here, activates the Password protection for Windows Server Active Directory. Currently, I’ll stay on Audit mode, to do not impact my users. You can also provide a list of banned passwords, for example to do not allow company name in the password:

Password protection for Windows Server Active Directory

You can check, with the following command, a report of Azure AD Password Protect:

 Azure AD Password Protect

I changed the password for the Starwind account on my Active Directory, with a weak password. I checked again, and now, I’ve the PasswordSetAuditOnlyFailures parameter to 1:

PasswordSetAuditOnlyFailures

If I check in logs, I have the information that a weak password has been used. But, because I am in audit mode, it has not been blocked. These logs can be found under \Applications and Services Logs\Microsoft\AzureADPasswordProtection\DCAgent\Admin, in the Event viewer of one DC:

DCAgent

DCAgent information

If I change the mode to Enforced, I have the following error:

Error

And it has been logged:

Admin Windows PowerShell

Agent Admin

Agent Admin Azure Password Policy

The only problem with this feature is that we can’t check which password has been defined by the user.

Weak password in the cloud

The documentation is available here: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad

If you only have cloud users, without On-Premises directory, you need to configure with the following. On the Azure Portal, go to Azure Active Directory > Security > Authentication methods > Password protection:

Password protection

Choose the mode that you want to use and you can also provide a list of banned passwords, for example to do not allow company name in the password:

Mode

If you don’t use the custom list, the Azure AD Free will protect you. If you want to use a custom list, you will need an Azure AD P1/P2 license.

I created a new user, with a default password. During the first login, I had to change it. I tried a password in the password list, and had the following error:

Azure AD P1/P2 license

This feature, is very helpful to manage weak password in your company, with less efforts.

Found Florent’s article helpful? Looking for a reliable, high-performance, and cost-effective shared storage solution for your production cluster?
Dmytro Malynka
Dmytro Malynka StarWind Virtual SAN Product Manager
We’ve got you covered! StarWind Virtual SAN (VSAN) is specifically designed to provide highly-available shared storage for Hyper-V, vSphere, and KVM clusters. With StarWind VSAN, simplicity is key: utilize the local disks of your hypervisor hosts and create shared HA storage for your VMs. Interested in learning more? Book a short StarWind VSAN demo now and see it in action!