Azure-AD Bad Password On-prem Integration

Azure-AD has this fantastic feature for cloud accounts called bad passwords. It works by calculating the score while users changing their passwords. Microsoft now extended this feature to on-prem as well. it comes with its own advantages and disadvantages as well.

How does it work?

Azure administrator creates password policy, which gets pulled down to Domain Controllers as Azure AD Policy and gets served in on-prem. Well this is high level at least to say.

Things to keep in mind:

This does not replaces on-prem password policy eg: if your current password policy is 9 chars minimum, expired after 30 days, etc..

This deployment contains two services to be deployed DCAgent and Proxy. As per Microsoft recommendations, DCAgent stays on at least one domain controller, tapping proxy every one hour to pull password policy and apply it on-prem. This option in Azure can be turned on using the following.

By enabling this feature we can use custom banned passwords for organisation specific ones, Mode needs to be set for Enforced to deploy it on-prem.

Password change Process:

  • A user requests a password change to a Domain Controller.
  • The DC Agent Password Filter DLL, receive from the OS, the password validation requests, and forward them to the  Azure AD Password Protection DC Agent, installed on the DC. This Agent then validates if the password is compliance with the locally stored Azure password policy.
  • The Agent on the DC every 1hour locate via the SCP (Service Connection Point) in the forest the Azure AD Password Protection Proxy Service to download a fresh copy of the Azure password policy.
  • The Agent on the DC receives the new version of the Azure password policy from the proxy service and stores it in the Sysvol enabling this new policy to be replicated to all other DCs in the same domain.
  • So Bottom line is Azure AD administrator manages password policy.

How passwords are scored?

  • Azure has something called “global banned password list” which is almost like a dictionary.  This list contains the most insecure passwords set by users. Nobody knows this list, Microsoft using its own threat intelligence to create this list and constantly updates it. It never publishes this list for security reasons. So every user who is trying to change password is subjected to this list + “custom password list” that every customer is provided i.e 1000 words. 
  • Microsoft ratifies every new password in following steps behind the scenes
  • Step -1: it checks for Normalisation in password i.e if “o is substituted with 0” “a is substituted with @” and many more.
  • Step-2: Check if the password is banned using unique processing of fuzzing, substring matching, and score calculation for a password.  

Deployment guide:

Pre requisites:

  • Azure-AD Premium licenses
  • Off course network communication between the server(s) running the agent and at least one AD DS domain controller
  • Administrative permissions to deploy and configure the agent
  • Azure-AD Global administrator for the agent registration
  • ADDS domain administrator on the root forest
  • Turn off MFA while configuration, afterwards turn it on.


Download agents from

  • AzureADPasswordProtectionDCAgent.msi: to be deployed on domain controllers
  • AzureADPasswordProtectionProxy.msi: is managing the communication between your AD DS domain controllers and Azure AD to deliver the service. It is recommended to deploy it on at least 2 servers for HA

Registering Proxy agent: Required in two servers for High availability

Installing DC agent: Requires restart (production hit)



  • Open a PowerShell prompt using the run as administrator and execute the following command

NOTE if you had a PowerShell prompt already opened, you will need to open a new one and type following commands.

Import-Module AzureADPasswordProtection

  • Verify service status by running Get-Service AzureADPasswordProtection

NOTE it may take sometime to complete the registration process for the first agent

  • $AzureAdminCreds = Get-Credential [Azure GA creds]
  • $DomainAdminCreds = Get-Credential [AD DA creds]
  • Register-AzureADPasswordProtectionProxy -AzureCredential $AzureAdminCreds –ForestCredential $DomainAdminCreds
  • Note that proxy server uses a port to talk to Microsoft if you want to change port use following for firewall reasons.
  • Set-AzureADPasswordProtectionProxyConfiguration –StaticPort <portnumber>


NOTE it is important to note that a server restart is required after installing the DC agent

  • Execute the AzureADPasswordProtectionDCAgent.msi and restart the domain controller

That’s all the configuration necessary. Make sure proxy servers can go online. Test the bad passwords it should be working as expected.


Leave a Reply

Your email address will not be published.