Azure AD Password Protection monitoring and logging

After the deployment of Azure AD Password Protection, monitoring and reporting are essential tasks. This article goes into detail to help you understand various monitoring techniques, including where each service logs information and how to report on the use of Azure AD Password Protection.

DC agent event logging

On each domain controller, the DC agent service software writes the results of each individual password validation operation (and other status) to a local event log:

\Applications and Services Logs\Microsoft\AzureADPasswordProtection\DCAgent\Admin

\Applications and Services Logs\Microsoft\AzureADPasswordProtection\DCAgent\Operational

\Applications and Services Logs\Microsoft\AzureADPasswordProtection\DCAgent\Trace

The DC agent Admin log is the primary source of information for how the software is behaving.

Note that the Trace log is off by default.

Events logged by the various DC agent components fall within the following ranges:

Component Event ID range
DC Agent password filter dll 10000-19999
DC agent service hosting process 20000-29999
DC agent service policy validation logic 30000-39999

DC agent Admin event log

Password validation outcome events

On each domain controller, the DC agent service software writes the results of each individual password validation to the DC agent admin event log.

For a successful password validation operation, there is generally one event logged from the DC agent password filter dll. For a failing password validation operation, there are generally two events logged, one from the DC agent service, and one from the DC Agent password filter dll.

Discrete events to capture these situations are logged, based around the following factors:

  • Whether a given password is being set or changed.
  • Whether validation of a given password passed or failed.
  • Whether validation failed due to the Microsoft global policy, the organizational policy, or a combination.
  • Whether audit only mode is currently on or off for the current password policy.

The key password-validation-related events are as follows:

Password change Password set
Pass 10014 10015
Fail (due to customer password policy) 10016, 30002 10017, 30003
Fail (due to Microsoft password policy) 10016, 30004 10017, 30005
Fail (due to combined Microsoft and customer password policies) 10016, 30026 10017, 30027
Audit-only Pass (would have failed customer password policy) 10024, 30008 10025, 30007
Audit-only Pass (would have failed Microsoft password policy) 10024, 30010 10025, 30009
Audit-only Pass (would have failed combined Microsoft and customer password policies) 10024, 30028 10025, 30029

The cases in the table above that refer to "combined policies" are referring to situations where a user's password was found to contain at least one token from both the Microsoft banned password list and the customer banned password list.

When a pair of events is logged together, both events are explicitly associated by having the same CorrelationId.

Password validation summary reporting via PowerShell

The Get-AzureADPasswordProtectionSummaryReport cmdlet may be used to produce a summary view of password validation activity. An example output of this cmdlet is as follows:

Get-AzureADPasswordProtectionSummaryReport -DomainController bplrootdc2
DomainController                : bplrootdc2
PasswordChangesValidated        : 6677
PasswordSetsValidated           : 9
PasswordChangesRejected         : 10868
PasswordSetsRejected            : 34
PasswordChangeAuditOnlyFailures : 213
PasswordSetAuditOnlyFailures    : 3
PasswordChangeErrors            : 0
PasswordSetErrors               : 1

The scope of the cmdlet’s reporting may be influenced using one of the –Forest, -Domain, or –DomainController parameters. Not specifying a parameter implies –Forest.

The Get-AzureADPasswordProtectionSummaryReport cmdlet works by querying the DC agent admin event log, and then counting the total number of events that correspond to each displayed outcome category. The following table contains the mappings between each outcome and its corresponding event id:

Get-AzureADPasswordProtectionSummaryReport property Corresponding event id
PasswordChangesValidated 10014
PasswordSetsValidated 10015
PasswordChangesRejected 10016
PasswordSetsRejected 10017
PasswordChangeAuditOnlyFailures 10024
PasswordSetAuditOnlyFailures 10025
PasswordChangeErrors 10012
PasswordSetErrors 10013

Note that the Get-AzureADPasswordProtectionSummaryReport cmdlet is shipped in PowerShell script form and if needed may be referenced directly at the following location:

%ProgramFiles%\WindowsPowerShell\Modules\AzureADPasswordProtection\Get-AzureADPasswordProtectionSummaryReport.ps1

Note

This cmdlet works by opening a PowerShell session to each domain controller. In order to succeed, PowerShell remote session support must be enabled on each domain controller, and the client must have sufficient privileges. For more information on PowerShell remote session requirements, run 'Get-Help about_Remote_Troubleshooting' in a PowerShell window.

Note

This cmdlet works by remotely querying each DC agent service’s Admin event log. If the event logs contain large numbers of events, the cmdlet may take a long time to complete. In addition, bulk network queries of large data sets may impact domain controller performance. Therefore, this cmdlet should be used carefully in production environments.

Sample event log message for Event ID 10014 (successful password change)

The changed password for the specified user was validated as compliant with the current Azure password policy.

 UserName: BPL_02885102771
 FullName:

Sample event log message for Event ID 10017 and 30003 (failed password set)

10017:

The reset password for the specified user was rejected because it did not comply with the current Azure password policy. Please see the correlated event log message for more details.

 UserName: BPL_03283841185
 FullName:

30003:

The reset password for the specified user was rejected because it matched at least one of the tokens present in the per-tenant banned password list of the current Azure password policy.

 UserName: BPL_03283841185
 FullName:

Sample event log message for Event ID 30001 (password accepted due to no policy available)

The password for the specified user was accepted because an Azure password policy is not available yet

UserName: SomeUser
FullName: Some User

This condition may be caused by one or more of the following reasons:%n

1. The forest has not yet been registered with Azure.

   Resolution steps: an administrator must register the forest using the Register-AzureADPasswordProtectionForest cmdlet.

2. An Azure AD password protection Proxy is not yet available on at least one machine in the current forest.

   Resolution steps: an administrator must install and register a proxy using the Register-AzureADPasswordProtectionProxy cmdlet.

3. This DC does not have network connectivity to any Azure AD password protection Proxy instances.

   Resolution steps: ensure network connectivity exists to at least one Azure AD password protection Proxy instance.

4. This DC does not have connectivity to other domain controllers in the domain.

   Resolution steps: ensure network connectivity exists to the domain.

Sample event log message for Event ID 30006 (new policy being enforced)

The service is now enforcing the following Azure password policy.

 Enabled: 1
 AuditOnly: 1
 Global policy date: ‎2018‎-‎05‎-‎15T00:00:00.000000000Z
 Tenant policy date: ‎2018‎-‎06‎-‎10T20:15:24.432457600Z
 Enforce tenant policy: 1

Sample event log message for Event ID 30019 (Azure AD Password Protection is disabled)

The most recently obtained Azure password policy was configured to be disabled. All passwords submitted for validation from this point on will automatically be considered compliant with no processing performed.

No further events will be logged until the policy is changed.%n

DC Agent Operational log

The DC agent service will also log operational-related events to the following log:

\Applications and Services Logs\Microsoft\AzureADPasswordProtection\DCAgent\Operational

DC Agent Trace log

The DC agent service can also log verbose debug-level trace events to the following log:

\Applications and Services Logs\Microsoft\AzureADPasswordProtection\DCAgent\Trace

Trace logging is disabled by default.

Warning

When enabled, the Trace log receives a high volume of events and may impact domain controller performance. Therefore, this enhanced log should only be enabled when a problem requires deeper investigation, and then only for a minimal amount of time.

DC Agent text logging

The DC agent service can be configured to write to a text log by setting the following registry value:

HKLM\System\CurrentControlSet\Services\AzureADPasswordProtectionDCAgent\Parameters!EnableTextLogging = 1 (REG_DWORD value)

Text logging is disabled by default. A restart of the DC agent service is required for changes to this value to take effect. When enabled the DC agent service will write to a log file located under:

%ProgramFiles%\Azure AD Password Protection DC Agent\Logs

Tip

The text log receives the same debug-level entries that can be logged to the Trace log, but is generally in an easier format to review and analyze.

Warning

When enabled, this log receives a high volume of events and may impact domain controller performance. Therefore, this enhanced log should only be enabled when a problem requires deeper investigation, and then only for a minimal amount of time.

DC agent performance monitoring

The DC agent service software installs a performance counter object named Azure AD Password Protection. The following perf counters are currently available:

Perf counter name Description
Passwords processed This counter displays the total number of passwords processed (accepted or rejected) since last restart.
Passwords accepted This counter displays the total number of passwords that were accepted since last restart.
Passwords rejected This counter displays the total number of passwords that were rejected since last restart.
Password filter requests in progress This counter displays the number of password filter requests currently in progress.
Peak password filter requests This counter displays the peak number of concurrent password filter requests since the last restart.
Password filter request errors This counter displays the total number of password filter requests that failed due to an error since last restart. Errors can occur when the Azure AD Password Protection DC agent service is not running.
Password filter requests/sec This counter displays the rate at which passwords are being processed.
Password filter request processing time This counter displays the average time required to process a password filter request.
Peak password filter request processing time This counter displays the peak password filter request processing time since the last restart.
Passwords accepted due to audit mode This counter displays the total number of passwords that would normally have been rejected, but were accepted because the password policy was configured to be in audit-mode (since last restart).

DC Agent discovery

The Get-AzureADPasswordProtectionDCAgent cmdlet may be used to display basic information about the various DC agents running in a domain or forest. This information is retrieved from the serviceConnectionPoint object(s) registered by the running DC agent service(s).

An example output of this cmdlet is as follows:

Get-AzureADPasswordProtectionDCAgent
ServerFQDN            : bplChildDC2.bplchild.bplRootDomain.com
Domain                : bplchild.bplRootDomain.com
Forest                : bplRootDomain.com
PasswordPolicyDateUTC : 2/16/2018 8:35:01 AM
HeartbeatUTC          : 2/16/2018 8:35:02 AM

The various properties are updated by each DC agent service on an approximate hourly basis. The data is still subject to Active Directory replication latency.

The scope of the cmdlet’s query may be influenced using either the –Forest or –Domain parameters.

If the HeartbeatUTC value gets stale, this may be a symptom that the Azure AD Password Protection DC Agent on that domain controller is not running, or has been uninstalled, or the machine was demoted and is no longer a domain controller.

If the PasswordPolicyDateUTC value gets stale, this may be a symptom that the Azure AD Password Protection DC Agent on that machine has is not working properly.

Proxy service event logging

The Proxy service emits a minimal set of events to the following event logs:

\Applications and Services Logs\Microsoft\AzureADPasswordProtection\ProxyService\Admin

\Applications and Services Logs\Microsoft\AzureADPasswordProtection\ProxyService\Operational

\Applications and Services Logs\Microsoft\AzureADPasswordProtection\ProxyService\Trace

Note that the Trace log is off by default.

Warning

When enabled, the Trace log receives a high volume of events and this may impact performance of the proxy host. Therefore, this log should only be enabled when a problem requires deeper investigation, and then only for a minimal amount of time.

Events are logged by the various Proxy components using the following ranges:

Component Event ID range
Proxy service hosting process 10000-19999
Proxy service core business logic 20000-29999
PowerShell cmdlets 30000-39999

Proxy service text logging

The Proxy service can be configured to write to a text log by setting the following registry value:

HKLM\System\CurrentControlSet\Services\AzureADPasswordProtectionProxy\Parameters!EnableTextLogging = 1 (REG_DWORD value)

Text logging is disabled by default. A restart of the Proxy service is required for changes to this value to take effect. When enabled the Proxy service will write to a log file located under:

%ProgramFiles%\Azure AD Password Protection Proxy\Logs

Tip

The text log receives the same debug-level entries that can be logged to the Trace log, but is generally in an easier format to review and analyze.

Warning

When enabled, this log receives a high volume of events and may impact the machine's performance. Therefore, this enhanced log should only be enabled when a problem requires deeper investigation, and then only for a minimal amount of time.

PowerShell cmdlet logging

PowerShell cmdlets that result in a state change (for example, Register-AzureADPasswordProtectionProxy) will normally log an outcome event to the Operational log.

In addition, most of the Azure AD Password Protection PowerShell cmdlets will write to a text log located under:

%ProgramFiles%\Azure AD Password Protection Proxy\Logs

If a cmdlet error occurs and the cause and\or solution is not readily apparent, these text logs may also be consulted.

Proxy discovery

The Get-AzureADPasswordProtectionProxy cmdlet may be used to display basic information about the various Azure AD Password Protection Proxy services running in a domain or forest. This information is retrieved from the serviceConnectionPoint object(s) registered by the running Proxy service(s).

An example output of this cmdlet is as follows:

Get-AzureADPasswordProtectionProxy
ServerFQDN            : bplProxy.bplchild2.bplRootDomain.com
Domain                : bplchild2.bplRootDomain.com
Forest                : bplRootDomain.com
HeartbeatUTC          : 12/25/2018 6:35:02 AM

The various properties are updated by each Proxy service on an approximate hourly basis. The data is still subject to Active Directory replication latency.

The scope of the cmdlet’s query may be influenced using either the –Forest or –Domain parameters.

If the HeartbeatUTC value gets stale, this may be a symptom that the Azure AD Password Protection Proxy on that machine is not running or has been uninstalled.

Next steps

Troubleshooting for Azure AD Password Protection

For more information on the global and custom banned password lists, see the article Ban bad passwords