Azure AD Password Protection | Setup and Configuration

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi guys hope you all doing well and welcome back to our series of Azure Active Directory are in this video we are going to talk about the setup and portal configuration required for password protection and banned password now if you are watching the series from the beginning in the last video we have discussed about the theoretical part more over related to our generated password protection whereas the agenda of this video will be knowing how you should implement password protection what are the different portal configuration that needs to be in place how to implement password protection for your on-prem environment what are the different setup and installation agents that you need to make it work how exactly works under the hood what is the process that's been done either by DC or by the proxy agent we'll also talk about the service details which services are responsible for actually any password protection to work and the last thing that I'm going to talk about is the event logs that you should refer to in order to troubleshoot if I show any password protection is not working as expected so starting off by knowing portal configuration when it comes to portal configuration there are two modes which are available the first one is audit mode and the other one is enforced mode in ordered more whenever a bad a password reset or change request is initiated now what do I mean by this that let's say I have blogged a keyword name - workspace in the custom band password list and a user tries to reset the password by using work space at one two three in this case it is a bad password reset attempt which has been made so if your Azure ad password protection configuration has ordered more the user will be allowed to reset the password but events will be generated whereas an enforced mode apart from events getting generated the user will be blogged by resetting that password now these are the only two modes that you have to keep in mind in terms of portal configuration so now what I'm going to do is I'm going to switch to my browser where have signed in the global admin and I have opened either Active Directory what you have to do now is you have to click on security then you have to click on authentication methods and then as you can see I'm getting the option of password protection now once you'll click on password protection there are two more options that you get which are more over related to custom smart lockout wherein you can define the lockout threshold and logout duration and seconds but what we have to focus is these four options which we get here the first one is enforce custom lists where and I'm going to define these two keywords which is workspace and concepts core and then I'm going to say that enable password protection for my Windows Server active directory and the mode that I'm going to use is enforced more now what will be my end goal or the use case which I'm going to demonstrate will be that if a admin or a user they try to reset their password in on from environment and admin can do this from Active Directory and a user can simply do this by changing their own password whenever they are trying to reset the password they should not be able to use these two keywords this is my end goal which I will show you by the end of this video once all the configuration is done so this is all about that you should know about the portal configuration now let's understand the deployment part of a surety password protection for your on-prem environment for that let's assume a scenario where an accompanying us concepts work is trying to implement either any password protection for their on-prem environment but in a nutshell this service works with all the keywords that you have defined combined with the global than password list and you can customize this list as per your enterprise what we'll also have to make sure that we are defining this custom bound password list in Azure Active Directory but the same set of information has to be replicated to your on-prem environment now the question comes how exactly it's all done or how it works so it works on behalf of two different agents the first one is DC agent for password protection and the other one is password protection proxy agent now it's the DC agent which actually validates the bad password reset request that means matching whether the key word which has been entered by user is matching with any keyword that you have already blogged or parent whereas the proxy agent has the purpose of downloading the new list or downloading the new policy and making it available to your DC now the reason behind this is because you will be keep on updating your custom garnder password list that's the reason there are two different agents required in order for as your 80 password protection to work in a nutshell now the name of these two agents they have meaning defined in the name itself so what do I mean by this that the DC agent for password protection will be installed on domain controllers whereas the password protection proxy agent can be installed on any server that's being joined to your domain but if we talk about microsoft's recommendation you should install DC agent on all your DC's and he must have at least two password protection proxy agent now the reason behind installing BC agent on all the domain controllers because the DC agent can only validate the password reset request which has been received on the domain controller on which a DC agent is installed so that's the reason why is you should install DC agent on all your domain controllers there is one more common process which both these agents does and that is they both register a service connection point in your area so that they can locate each other now the reason behind this is this is moreover related to the architecture fundamental of how our ad password protection works and let me explain you this in a real-time scenario as I have said before that it will be your assure Active Directory where you will be defining your keywords but we have to make sure that all these keywords are available for your on-prem environment as well but it's not a domain controller which is directly going to talk to our Active Directory and getting all the custom bound password list where ours will place the proxy agent in between domain controllers and Azure Active Directory so that the proxy agent can query all the new policies that you have defined and the same should be sent to your DC with the help of DC agent for password protection but what we also have to make sure that all the configuration is in place now what do I mean by this that the first step which is required is installation of your DC agent now if you do this with GUI that means the interactive mode your DC agent requires a restart that means on whichever domain controller we will be installing the DC agent we have to reboot it the next process is of installing password protection agent the next one is registered the proxy agent so that it can contact either Active Directory and then we will register the forest now registering the proxy agent requires global admin credential whereas registering the forest requires global admin credential as well ask domain admin account now in order to install DC agent what you need that your server should be Windows Server 2012 r2 or above dotnet framework 4.5 should be available there should be network connectivity between DC and proxy agent servers and all the DC's where you we'll be installing DC agent they must be enabled with DFS r4 sis wall replication now the only difference between the requirements for DC agent and proxy agent is that the proxy agent should be able to contact these endpoints now this can be an entry point of us knowing why we need two agents so they're couple of design principles on which our ad password protection works and that is for most of the enterprise DC's are not exposed to public internet that means the first fundamental is that there is no requirement of internet on domain controllers whereas there should be no new poles that should be open for this particular deployment and what we also have to make sure that as your ad password protection should work with all the authentication methods either password sync passed through or federated authentication so now let's understand how everything is going to work when you have all the configuration in place that means you have done the portal configuration and you have installed the agents now let's see how it is going to work so since we know that it's the DC agent which is responsible for validating the bad password attempt but it's not your domain controller or your DC agent which is directly going to contact either Active Directory to get new lists what will happen that domain controller will try to locate the proxy servers with the help of SCP which has been registered and then the domain controller will initiate a request of downloading the new password policy which is as of now available which contains all the custom bound password lists and what your proxy agent will do it will contact our Active Directory and then get the same set of information replicated to your domain controller now this is the entire process which happens once you have put the agents in place and once the configuration is done including Azure Active Directory and your on-prem environment so now what I'm going to do is I'm going to switch to my machine where I will be installing DC agent so this is my DC where I'm going to install the DC agent and in order to download the file you have to go to this particular link this is the link which I will be sharing in the description section as well which you can review and just download the DC agent now the moment I'll click on download I'll get both the options but since this is the DC I'll select the first one now for this demo I have already downloaded the file and all I have to do is I have to run the setup so what I'm going to do is I'm going to initiate the setup let me tell you guys there is no configuration that's required all you have to do is you have to install this agent and then the respective service will be created and that will be initiated by default now as I've said before that the installation of DC agent with the help of GUI installation requires a restart so what I'll do is I'll click on yes and I'll switch to my machine where I will be installing proxy agent so this is my other machine wherein I have signed in with enterprise admin account and here I will be installing proxy agent as I've said before the link is same but the files are different so for this machine I have downloaded file which is responsible for proxy agent so now I'm going to double click on this and I'm going to initiate the installation this also doesn't require any configuration that has to be in place the setup will not ask for any configuration but once the proxy agent is installed there are three commands which you have to run in order to register your proxy connector as well as register your forest so now what I'm going to do is I'm going to run the command wherein I will be importing the module that's required to register the proxy agent so now that I have successfully imported the module required for the registration the next command that you have to run is register - azure ad password protection proxy and the switch that you have to use is account European and you'll have to enter your global admin upian because this is a directory wide change which requires admin privilege now I will be prompted for credentials and once I'll enter my password this proxy registration process will be completed so as you can see in getting the prompt to enter my password now and I've entered my password and I will click on signing once this process will be completed the third command that we have to run is registered as your ad password protection forest now what you have to make sure that this PowerShell that you are running that should be running with at least domain admin privilege and you again use the same switch which we have used with the registration of proxy now once both these commands are completed that means your setup is complete the configuration is complete now all you have to do is you have to restart the service on proxy as well as on your DC just check the logs whether the new policies are now being enforced or not so what I'll do is I'll switch back to my 81st and I'll restart the service over there and then I'll restart the service of proxy and then let's see what are the logs that we are getting so my DC is restarted now on I'm going to open services start MSC and then let's see what is the current state of either a t DC agent or protection service so as you can see that errors showing as of now running but what I'll do is I'll restart this now the events which are getting generated on DC as well as on your proxy they have the same folder name it's just they are located in a different place altogether so I'll show you how you can check the logs on DC so on DC you have to go to this application and service log and then ill click on Microsoft and as you can see I'm getting this option of either a D password protection and a here it says DC agent and as you can see if I'll check the admin logs you see now that this service is enforcing the following as your 80 policy that means my DC agent was able to query the new policies that were created in the portal but if I'll switch back to my machine of my proxy let's see what all logs we are getting over there so here you have to go to Event Viewer and then again you have to click on application and service logs and here the full name will be different instead of DC agent it should be proxy agent as you can see the showing me now proxy service so if I open this admin log details I'm not getting any information but if I'll click on operational as you can see that Asia 80 password protection service was forwarded a message which has been successful while reaching domain controller so this is how exactly the setup process work now the next thing that I have to show you is the use case so for that I'm going to switch to my machine where I have 80 and I'll open Active Directory users and computers and from here I'll try to reset a password for a particular user where I will be using the blogged keywords which I have added so it was workspace and let's add at one two three I'm going to copy this and let's now change the password of any of my user and let's see if I'm able to reset this as a password or not and as you can see I'm getting this prompt now if I go back to my logs and if i refresh this as you can see the reset password request was rejected because it doesn't comply with the policies and the user is the same one for which we were trying to reset the password so here itself you'll get all the details which are moreover relative to the logs which are getting generated this experience was moreover related to admin but let's talk about how this will behave for user so for that what I'm going to do is I'm going to provide this user a temp password so that next time when this user changes the password he or she should be prompted to enter a new password and then we'll use the same set of keywords and let's see if it works or not so I'm going to create a temp password and now I'm going to switch to my machine where I will be signing with this user account so this is my other machine where I will be signing with that account on with the temp password that I have created and then we try to reset the password but workspace at 1 2 3 workspace at 1 2 3 and now let's see if the password is processed or not and as you can see I'm getting the same prompt that you cannot reset this password now let's come back to our DC and see if we are getting under another set of logs relative to this and as you can see the change password request is also denied so this is the entire process that you have to do to setup as your ad password protection for your on-prem environment now let's talk about a quick summary for what all we have discussed we have discussed about implementation of password protection we have discussed about portal configuration how to enable this feature for your on-prem environment what are the setup and installation logs that you can refer to what are the service details that you should refer to in my next video I'm going to talk about the new experience of our registration on Azure 80 so if you guys have learned something new please feel free to subscribe if you have any feedback query or suggestion please let me know in the comment section thank you so much thanks for your time
Info
Channel: Concepts Work
Views: 6,882
Rating: undefined out of 5
Keywords: Azure AD, Azure Active Directory, Azure AD banned Password, Azure AD Password Protection
Id: sYqj3QMX31M
Channel Id: undefined
Length: 20min 18sec (1218 seconds)
Published: Sat Nov 23 2019
Related Videos
Azure Active Directory (AD, AAD) Tutorial | Identity and Access Management Service
Adam Marczak - Azure for Everyone
296K
Fixing Hybrid-User Sync Issues with Azure AD Connect
SecureCRC
14K
Onboard Windows 10 Devices from MDM | Microsoft Defender for Endpoint
Concepts Work
3.5K
How to deploy Password Protection on-premises | Azure Active Directory
Microsoft Azure
4.8K
Azure AD Password Writeback & Self Service (SSPR) | Sync accounts Office 365, WVD back to on-premise
Cloud Inspired
4.4K
Azure Active Directory for Beginners with Andy Malone MVP
Andy Malone MVP
2K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.