Enable Azure AD Password Protection in a hybrid environment 

With default Active Directory password policies, many organizations find that users create weak, easily guessed, or incremental passwords that attackers can easily compromise. Using Azure AD Password Protection, organizations can have an additional layer of security for users’ passwords.  

The good news is you don’t need to abandon on-premises Active Directory to implement stronger password policies or to block users from using breaching passwords. We’ll walk through how to enable Azure AD Password Protection for your on-premises environment and where you can choose to augment its capabilities. 

What is Azure AD Password Protection? 

The Azure AD Password Protection solution from Microsoft allows you to enforce the default global banned password lists defined in Azure AD in on-premises Active Directory Domain Services (AD DS) environments. You can also choose to create a custom banned list. The Microsoft security team analyzes Azure AD security data to add new weak or compromised passwords to the global ban list and apply it to all password change or reset operations. 

When users change or reset their passwords, the password is checked using the Azure AD Password Protection solution to ensure they are not found on the global banned password list defined in Azure AD. It allows organizations to define password filter lists in Azure AD and have these applied to on-premises AD DS environments in addition to their Azure AD tenant.  

What’s the benefit of doing this? It’s an attempt to solve the age-old problem with end users using the same passwords for multiple accounts, including personal accounts. Users tend to create weak passwords and then exacerbate the risk of their credentials being compromised by reusing these passwords for personal devices and applications. Even passwords that may meet the traditional complexity requirements of Active Directory Domain Services (AD DS) password policies can still be weak and easily guessed with common “leetspeak” transformations. Multiplied across many end users, this creates significant organizational risk. 

Enabling on-premises Azure AD Password Protection

If their environments are hybrid prior to implementing Azure AD password protection, organizations can extend the password protection to their on-premises AD DS environments with the following steps: 

  1. The Azure AD Password Protection Proxy service instance is advertised to on-premises domain controllers in the forest by creating a serviceConnectionPoint object. This object is created in the AD DS environment. 
  2. The domain controller Agent service for Azure AD Password Protection also creates a serviceConnectionPoint object in Active Directory. It uses this object for reporting and diagnostics operations. 
  3. The agent installed on each domain controller initiates the download of new password policies from Azure AD. The forest is queried to find the Azure AD Password Protection Proxy service using the serviceConnectionPoint objects. 
  4. Once found, the domain controller agent sends a password policy download request to the proxy service. The proxy sends the request up to Azure AD. Then it returns the response to the domain controller Agent service. 
  5. Once the domain controller Agent service receives a new password policy from Azure AD, the policy is stored in a dedicated folder at the root of its domain SYSVOL folder. The domain controller Agent service also monitors this folder in case newer policies replicate from other domain controller Agents in the domain. 
  6. The domain controller Agent service requests a new policy at the service startup. After the DC Agent service is started, it checks hourly the age of the current policy it has available. If the policy is older than an hour, the domain controller Agent requests a new policy from Azure AD via the proxy service, as described previously. If the policy is within the hour threshold, it continues to use the existing policy. 
  7. When a domain controller receives password change events, the cached policy determines if the new password is accepted or rejected. 
A conceptual overview of Azure AD Password Protection for on-premises ADDS (Source: Microsoft)
A conceptual overview of Azure AD Password Protection for on-premises ADDS (Source: Microsoft)

Azure AD Password Protection on-premises limitations 

There are a few limitations to note with the Azure AD Password Protection on-premises solution. Note the following considerations you need to make: 

  • Azure AD Password Protection on-premises cannot be applied to a subset of users. It is a global solution, and all users receive equal security benefits. 
  • It does not validate existing passwords after it’s installed. It can only enforce password policy on cleartext passwords during the password change or set operation. 
  • Licensing – you must have a valid Azure AD subscription to use the Azure AD Password Protection and an Azure AD Premium P1 or P2 subscription. 
  • The end user experience for Azure AD Password Protection can leave a lot to be desired, especially when compared to a third-party solution like Specops Password Policy

Two identity sources can create password compliance headaches 

Many organizations today are using Microsoft 365 with Active Directory Domain Services, meaning there is the potential to have multiple identity sources and password policies. Businesses can choose to synchronize passwords between their Active Directory Domain Services and Azure AD. However, they must think about their identity architecture, how they will centralize password compliance, and if they will leverage services like Azure AD Password Protection.  

Those with an Azure AD subscription can use something called Password Writeback. Password Writeback is used when Azure AD has to check with on-premises policies via Azure AD. Note the following: 

  • It’s included with your Azure AD subscription 
  • It can synchronize changes to your Active Directory identities to Azure AD at a specified interval. There is a delay with this process 
  • You can sync custom attributes to third-party solutions 

Specops Password Policy with Azure AD Connect password synchronization 

In addition to Azure AD Password Protection for on-premises, many organizations choose Specops Password Policy to provide robust modern password policies and breached password protection. With Password Writeback enabled, Azure SSPR will check on premise password policies prior to confirming password reset or change from Azure AD.  

If controlled by Specops Password Policy, the password must meet the specified requirements from Specops Password Policy. If the changed password meets the requirements, the password will be changed in Azure AD and be synced to your on-premises Active Directory Domain Services (AD DS) environment. 

Note the following SSPR user password synchronization flow with Password Writeback: 

Password synchronization flow with SSPR and Password Writeback (Source: Microsoft)
Password synchronization flow with SSPR and Password Writeback (Source: Microsoft)

As noted by Microsoft, you can use multiple password protection solutions with password filter DLLs. So, Specops Password Policy will work seamlessly with Azure AD Password Protection to add another layer of password protection in your environment, including a Breached Password Protection feature. Additionally, with the Password Writeback feature enabled, on-premises password policies can be the centralized point of compliance, helping to eliminate password compliance headaches when juggling multiple identity sources. Learn more about Specops Password Policy and try it for free. 

(Last updated on September 12, 2023)

brandon lee writer

Written by

Brandon Lee

Brandon Lee has been in the industry 20+ years, is a prolific blogger focusing on networking, virtualization, storage, security & cloud, and contributes to the community through various blog posts and technical documentation primarily at Virtualizationhowto.com.

Back to Blog

Related Articles

  • Hybrid Azure AD environments and third-party password tools

    Can we leverage third-party password tools like Specops Password Policy in hybrid Azure AD environments? The answer is yes, and this blog will explain how.

    Read More
  • Troubleshooting tips for Azure AD banned password list

    Not all implementations of Azure AD password protection go smoothly. This blog explores some quirks with the banned password lists, and offers remediation tips related to them.   Understanding the Scoring System  Many teams get tripped up when establishing their password policies in Azure AD and for good reason. First, there are two banned password lists. One is the Global Banned Password List, which is not…

    Read More
  • 3 passphrase best practices

    A strong password is long and complex. Adding upper case, numbers, and special characters make it harder to crack. However, considering user behavior, complex passwords have proven too difficult to remember. To cope with complexity requirements, users default to familiar patterns: A dictionary word as the root, capitalized first letter, number(s), and a special character…

    Read More