One thing I like to get going whenever taking on a new tenant or client is the password protection features. By Default, Entra already has some password protection for your cloud users which detects and blocks known weak passwords such as password and password123 or qwerty as well as looking at well-known passwords that are readily exploited in the wild. You can go further, including custom banned password lists, using common words such as company name or other default passwords teams might use. This cloud protection can also be extended to your on-premises Active Directory environment.
To get started, we need to deploy the proxy service and then the DC agents onto each Domain Controller in your environment. For simplicity, I tend to load the password proxy service on the Entra Directory Sync/Azure AD Connect server or if the site has ADFS in a HA setup, on there. Once the proxy is loaded, sign into the Entra admin center, go to Protection > Authentication methods > Password protection, and set the option for Enable password protection on Windows Server Active Directory to enabled and Mode to Audit.
We can configure password protection to not only use the Entra Password Protections, but also our custom banned list, I like to have company names and any generic passwords that the helpdesk teams tend to use here, so that users cannot use them.
Once the agents are deployed, we can use PowerShell to check the status of what’s happening in our environment on the proxy server to ensure DC agents are sending password change requests as well as resulting actions, such as how many attempts would be blocked or have weak passwords.
Get-AzureADPasswordProtectionSummaryReport
The command will cycle through each Domain Controller and then spit out something similar to the below;
Once you’re happy with the results, you can then switch the mode to Enforced, which will prevent any on-premises weak password changes.
Leave a Reply