As we often hear, “Security is not an option”. It’s why, today, I propose you to monitor weak password, On-Premises and in the cloud.

Weak password On-Premises

The documentation is available here: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-on-premises

To start, download the 2 software, available here: https://www.microsoft.com/download/details.aspx?id=57071

Install the Azure AD Password Protection proxy on a server, On-Premises, who is member of the Active Directory. This proxy will communicate directly to Azure AD:

Azure AD

Active Directory

Verify that the service is running fine:

Verify that the service is running fine

Now, we need to register our proxy, with our Azure AD, with the following command. It will ask you for the password and MFA. This account must be Global Admin of the Azure AD:

password and MFA

It’s time to register our AD forest with the following command. The account that executes the command on PowerShell must be at least, Enterprise Administrator:

AD forest

Now it’s time to install the agent on Domain Controllers. Copy the binary on each DC, and execute the following command. It’s important to restart the Domain Controller to load correct DLLs:

The next step is to activate the On-Premises Password protection on the Azure console. Navigate to the Azure Portal, go to Azure Active Directory > Security > Authentication methods > Password protection:

Activate the On-Premises Password protection

Here, activates the Password protection for Windows Server Active Directory. Currently, I’ll stay on Audit mode, to do not impact my users. You can also provide a list of banned passwords, for example to do not allow company name in the password:

Password protection for Windows Server Active Directory

You can check, with the following command, a report of Azure AD Password Protect:

 Azure AD Password Protect

I changed the password for the Starwind account on my Active Directory, with a weak password. I checked again, and now, I’ve the PasswordSetAuditOnlyFailures parameter to 1:

PasswordSetAuditOnlyFailures

If I check in logs, I have the information that a weak password has been used. But, because I am in audit mode, it has not been blocked. These logs can be found under \Applications and Services Logs\Microsoft\AzureADPasswordProtection\DCAgent\Admin, in the Event viewer of one DC:

DCAgent

DCAgent information

If I change the mode to Enforced, I have the following error:

Error

And it has been logged:

Admin Windows PowerShell

Agent Admin

Agent Admin Azure Password Policy

The only problem with this feature is that we can’t check which password has been defined by the user.

Weak password in the cloud

The documentation is available here: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad

If you only have cloud users, without On-Premises directory, you need to configure with the following. On the Azure Portal, go to Azure Active Directory > Security > Authentication methods > Password protection:

Password protection

Choose the mode that you want to use and you can also provide a list of banned passwords, for example to do not allow company name in the password:

Mode

If you don’t use the custom list, the Azure AD Free will protect you. If you want to use a custom list, you will need an Azure AD P1/P2 license.

VSAN from StarWind eliminates any need for physical shared storage just by mirroring internal flash and storage resources between hypervisor servers. Furthermore, the solution can be run on the off-the-shelf hardware. Such design allows VSAN from StarWind to not only achieve high performance and efficient hardware utilization but also reduce operational and capital expenses.
Find out more about ➡ VSAN from StarWind

I created a new user, with a default password. During the first login, I had to change it. I tried a password in the password list, and had the following error:

Azure AD P1/P2 license

This feature, is very helpful to manage weak password in your company, with less efforts.

Views All Time
5
Views Today
10
Appreciate how useful this article was to you?
No Ratings Yet
Loading...
Back to blog
The following two tabs change content below.
Florent Appointaire
Florent Appointaire is Microsoft Engineer with 5 years of experience, specialized in Cloud Technologies (Public/Hybrid/Private). He is a freelance consultant in Belgium from the beginning of 2017. He is MVP Cloud and Datacentre Management. He is MCSE Private Cloud and Hyper-V certified. His favorite products are SCVMM, SCOM, Windows Azure pack/Azure Stack and Microsoft Azure.