Preview: Enforce Azure AD password protection for Windows Server Active Directory

Azure AD password protection and the custom banned password list are public preview features of Azure Active Directory. For more information about previews, see Supplemental Terms of Use for Microsoft Azure Previews

Azure AD password protection is a new feature in public preview powered by Azure Active Directory (Azure AD) to enhance password policies in an organization. The on-premises deployment of Azure AD password protection uses both the global and custom banned password lists stored in Azure AD, and performs the same checks on-premises as Azure AD cloud-based changes.

There are three software components that make up Azure AD password protection:

  • The Azure AD password protection proxy service runs on any domain-joined machine in the current Active Directory forest. It forwards requests from domain controllers to Azure AD and returns the response from Azure AD back to the domain controller.
  • The Azure AD password protection DC agent service receives password validation requests from the DC Agent password filter dll, processes them using the current locally available password policy, and returns the result (pass\fail). This service is responsible for periodically (once per hour) calling the Azure AD password protection proxy service to retrieve new versions of the password policy. Communication for calls to and from the Azure AD password protection proxy service is handled over RPC (Remote Procedure Call) over TCP. Upon retrieval, new policies are stored in a sysvol folder where they can replicate to other domain controllers. The DC agent service also monitors the sysvol folder for changes in case other domain controllers have written new password policies there, if a suitably recent policy already is available the check of the Azure AD password protection proxy service will be skipped.
  • The DC Agent password filter dll receives password validation requests from the operating system and forwards them to the Azure AD password protection DC agent service running locally on the domain controller.

How Azure AD password protection components work together

License requirements

The benefits of the global banned password list apply to all users of Azure Active Directory (Azure AD).

The custom banned password list requires Azure AD Basic licenses.

Azure AD password protection for Windows Server Active Directory requires Azure AD Premium licenses.

Additional licensing information, including costs, can be found on the Azure Active Directory pricing site.

Download

There are two required installers for Azure AD password protection that can be downloaded from the Microsoft download center

Answers to common questions

  • No internet connectivity required from the domain controllers. The machine(s) running the Azure AD password protection proxy service are the only machines requiring internet connectivity.
  • No network ports are opened on domain controllers.
  • No Active Directory schema changes are required.
  • The software uses the existing Active Directory container and serviceConnectionPoint schema objects.
  • There is no minimum Active Directory Domain or Forest Functional level (DFL\FFL) requirement.
  • The software does not create or require any accounts in the Active Directory domains it protects.
  • Incremental deployment is supported with the tradeoff that password policy is only enforced where the domain controller agent is installed.
  • It is recommended to install the DC agent on all DCs to ensure password protection enforcement.
  • Azure AD password protection is not a real-time policy application engine. There may be a delay in the time between a password policy configuration change and the time it reaches and is enforced on all domain controllers.

Next steps

Deploy Azure AD password protection