You may already know that Azure AD is using advanced technologies to protect your credentials, especially your password. It even detects if the password you are trying to use (when you have to change it due to expiration) has been used too much or has been compromised (or banned).

This is a huge security feature but until now this was only available if you use Azure AD for authentication. Starting today (in preview), you can now use these capabilities with your on-premises Active Directory with a component called Azure AD password protection for Windows Server Active Directory.

Requirements

First things first, here are the requirements to get it working with your on-premises environment:

  • Deploy a local agent (https://www.microsoft.com/en-us/download/details.aspx?id=57071); this agent must be deployed on server running Windows 2012 at least
  • Azure AD Premium licenses
  • Off course network communication between the server(s) running the agent and at least one AD DS domain controller
  • Administrative permissions to deploy and configure the agent
    • Azure AD Global administrator for the agent registration
    • AD DS domain administrator on the root forest

How it works

The below diagram is a courtesy of Microsoft, describing how this feature works.

image

Deployment

  • Download the Azure AD password protection agent here https://www.microsoft.com/en-us/download/details.aspx?id=57071
    • You will see there are 2 MSI packaged:
      • AzureADPasswordProtectionDCAgent.msi: to be deployed on domain controllers
      • AzureADPasswordProtectionProxy.msi: is managing the communication between your AD DS domain controllers and Azure AD to deliver the service.It is recommended to deployed it on at least 2 servers as usual for fault tolerance

Deploy the proxy agent

  • Deploy the agent proxy (AzureADPasswordProtectionProxy.msi) on at least 2 servers and register it

NOTE you can deploy it silently as there is no installation options required(msiexec.exe /i AzureADPasswordProtectionProxy.msi /quiet /qn or with SCCM) and then once ready execute the registration steps

imageimage

Register and configure the proxy agent

  • Open a PowerShell prompt using the run as administrator and execute the following command

NOTE if you had a PowerShell prompt already opened, you will need to open a new one

Import-Module AzureADPasswordProtection

image

  • Execute the registration of the proxy agent to Azure AD (using your Azure AD GA account) and register your domain/forest (in case of multi domains forest you need to use your domain admin account from the root domain)

If your Azure AD global administrator account is the same (and sync with Azure AD) than the AD DS domain admin account, you can ignore the -ForestCredential parameter

NOTE it may take sometime to complete the registration process for the first agent

$tenantAdminCreds = Get-Credential

$domainAdminCreds = Get-Credential

Register-AzureADPasswordProtectionProxy -AzureCredential $tenantAdminCreds –ForestCredential $domainAdminCreds

image

You can check the registration has been successfully completed (unless you got an error message) by accessing the Windows Event log for the AzureADPasswordProtection (available below the following path Applications and Services Logs\Microsoft\AzureADPasswordProtection\Operational) log and look for the events:

  • 3000 which logs the registration start
  • 3001 which logs the successful registration

imageimageimage

  • Then you can register your AD DS forest using the command

NOTE you just need to run this AD DS forest registration step only once. If you deploy multiple proxy agent, there is no need to run again this co
mmand

Register-AzureADPasswordProtectionForest -AzureCredential $tenantAdminCreds

image

You can check the registration has been successfully completed (unless you got an error message) by accessing the Windows Event log for the AzureADPasswordProtection (available below the following path Applications and Services Logs\Microsoft\AzureADPasswordProtection\Operational) log and look for the events:

  • 3003 which logs the registration start
  • 3004 which logs the successful registration

imageimageimage

A new service container is being created in your AD DS forest. This container is used to register all agent (DC or proxy) and the certificates used to authenticate against Azure AD

CN=Azure AD Password Protection,CN=Services,CN=Configuration,DC=<removed>,DC=local

image

Deploy the DC agent

NOTE it is important to note that a server restart is required after installing the DC agent

  • Execute the AzureADPasswordProtectionDCAgent.msi and restart the domain controller

imageimage

You can check the registration has been successfully completed (after the server restart) by accessing the Windows Event log for the AzureADPasswordProtection (available below the following path Applications and Services Logs\Microsoft\AzureADPasswordProtection\DCAgent\Operational) log and look for the events:

  • 1000 which logs the DLL load
  • 2001 which logs the successful start of the Azure AD Password Protection service

image

This is it, once you have deployed at least one proxy and one DC agent, you are now able to use Azure AD Password Protection.