Enable Microsoft Entra Password Protection (formerly Azure AD Password Protection) in a hybrid environment 

With default Active Directory password policies, many organizations find that users create weak, easily guessed, or incremental passwords that attackers can easily compromise. Using Microsoft Entra Password Protection (formerly Azure AD Password Protection), organizations can have an additional layer of security for users’ passwords.  

The good news is you don’t need to abandon on-premises Active Directory to implement stronger password policies or to block users from using breaching passwords. We’ll walk through how to enable Microsoft Entra Password Protection (formerly Azure AD Password Protection) for your on-premises environment and where you can choose to augment its capabilities. 

What is Microsoft Entra Password Protection (formerly Azure AD Password Protection)? 

The Microsoft Entra Password Protection (formerly Azure AD Password Protection) solution from Microsoft allows you to enforce the default global banned password lists defined in Entra ID (formerly Azure AD) in on-premises Active Directory Domain Services (AD DS) environments. You can also choose to create a custom banned list. The Microsoft security team analyzes Entra ID (formerly Azure AD) security data to add new weak or compromised passwords to the global ban list and apply it to all password change or reset operations. 

When users change or reset their passwords, the password is checked using the Microsoft Entra Password Protection (formerly Azure AD Password Protection) solution to ensure they are not found on the global banned password list defined in Entra ID (formerly Azure AD). It allows organizations to define password filter lists in Entra ID (formerly Azure AD) and have these applied to on-premises AD DS environments in addition to their Entra ID (formerly Azure AD) tenant.  

What’s the benefit of doing this? It’s an attempt to solve the age-old problem with end users using the same passwords for multiple accounts, including personal accounts. Users tend to create weak passwords and then exacerbate the risk of their credentials being compromised by reusing these passwords for personal devices and applications. Even passwords that may meet the traditional complexity requirements of Active Directory Domain Services (AD DS) password policies can still be weak and easily guessed with common “leetspeak” transformations. Multiplied across many end users, this creates significant organizational risk. 

Enabling on-premises Microsoft Entra Password Protection (formerly Azure AD Password Protection)

If their environments are hybrid prior to implementing Microsoft Entra Password Protection (formerly Azure AD Password Protection), organizations can extend the password protection to their on-premises AD DS environments with the following steps: 

  1. The Microsoft Entra Password Protection (formerly Azure AD Password Protection Proxy service instance is advertised to on-premises domain controllers in the forest by creating a serviceConnectionPoint object. This object is created in the AD DS environment. 
  2. The domain controller Agent service for Microsoft Entra Password Protection (formerly Azure AD Password Protection also creates a serviceConnectionPoint object in Active Directory. It uses this object for reporting and diagnostics operations. 
  3. The agent installed on each domain controller initiates the download of new password policies from Entra ID (formerly Azure AD). The forest is queried to find the Microsoft Entra Password Protection (formerly Azure AD Password Protection) Proxy service using the serviceConnectionPoint objects. 
  4. Once found, the domain controller agent sends a password policy download request to the proxy service. The proxy sends the request up to Entra ID (formerly Azure AD). Then it returns the response to the domain controller Agent service. 
  5. Once the domain controller Agent service receives a new password policy from Entra ID (formerly Azure AD), the policy is stored in a dedicated folder at the root of its domain SYSVOL folder. The domain controller Agent service also monitors this folder in case newer policies replicate from other domain controller Agents in the domain. 
  6. The domain controller Agent service requests a new policy at the service startup. After the DC Agent service is started, it checks hourly the age of the current policy it has available. If the policy is older than an hour, the domain controller Agent requests a new policy from Entra ID (formerly Azure AD) via the proxy service, as described previously. If the policy is within the hour threshold, it continues to use the existing policy. 
  7. When a domain controller receives password change events, the cached policy determines if the new password is accepted or rejected. 
A conceptual overview of Azure AD Password Protection for on-premises ADDS (Source: Microsoft)
A conceptual overview of Microsoft Entra Password Protection (formerly Azure AD Password Protection) for on-premises ADDS (Source: Microsoft)

Microsoft Entra Password Protection (formerly Azure AD Password Protection) on-premises limitations 

There are a few limitations to note with the Microsoft Entra Password Protection (formerly Azure AD Password Protection) on-premises solution. Note the following considerations you need to make: 

  • Microsoft Entra Password Protection (formerly Azure AD Password Protection) on-premises cannot be applied to a subset of users. It is a global solution, and all users receive equal security benefits. 
  • It does not validate existing passwords after it’s installed. It can only enforce password policy on cleartext passwords during the password change or set operation. 
  • Licensing – you must have a valid Entra ID (formerly Azure AD) subscription to use the Microsoft Entra Password Protection (formerly Azure AD Password Protection) and an Entra ID (formerly Azure AD) Premium P1 or P2 subscription. 
  • The end user experience for Microsoft Entra Password Protection (formerly Azure AD Password Protection) can leave a lot to be desired, especially when compared to a third-party solution like Specops Password Policy

Two identity sources can create password compliance headaches 

Many organizations today are using Microsoft 365 with Active Directory Domain Services, meaning there is the potential to have multiple identity sources and password policies. Businesses can choose to synchronize passwords between their Active Directory Domain Services and Entra ID (formerly Azure AD). However, they must think about their identity architecture, how they will centralize password compliance, and if they will leverage services like Microsoft Entra Password Protection (formerly Azure AD Password Protection).  

Those with an Entra ID (formerly Azure AD) subscription can use something called Password Writeback. Password Writeback is used when Entra ID (formerly Azure AD) has to check with on-premises policies via Entra ID (formerly Azure AD). Note the following: 

  • It’s included with your Azure subscription 
  • It can synchronize changes to your Active Directory identities to Entra ID (formerly Azure AD) at a specified interval. There is a delay with this process 
  • You can sync custom attributes to third-party solutions 

Specops Password Policy with Microsoft Entra Connect (formerly Azure AD Connect) password synchronization 

In addition to Microsoft Entra Password Protection (formerly Azure AD Password Protection) for on-premises, many organizations choose Specops Password Policy to provide robust modern password policies and breached password protection. With Password Writeback enabled, Microsoft Entra SSPR (formerly Azure AD SSPR) will check on premise password policies prior to confirming password reset or change from Entra ID (formerly Azure AD).  

If controlled by Specops Password Policy, the password must meet the specified requirements from Specops Password Policy. If the changed password meets the requirements, the password will be changed in Entra ID (formerly Azure AD) and be synced to your on-premises Active Directory Domain Services (AD DS) environment. 

Note the following SSPR user password synchronization flow with Password Writeback: 

Password synchronization flow with SSPR and Password Writeback (Source: Microsoft)
Password synchronization flow with SSPR and Password Writeback (Source: Microsoft)

As noted by Microsoft, you can use multiple password protection solutions with password filter DLLs. So, Specops Password Policy will work seamlessly with Microsoft Entra Password Protection (formerly Azure AD Password Protection) to add another layer of password protection in your environment, including a Breached Password Protection feature. Additionally, with the Password Writeback feature enabled, on-premises password policies can be the centralized point of compliance, helping to eliminate password compliance headaches when juggling multiple identity sources. Learn more about Specops Password Policy and try it for free. 

(Last updated on September 19, 2024)

brandon lee writer

Written by

Brandon Lee

Brandon Lee has been in the industry 20+ years, is a prolific blogger focusing on networking, virtualization, storage, security & cloud, and contributes to the community through various blog posts and technical documentation primarily at Virtualizationhowto.com.

Back to Blog

Related Articles