1
00:00:01,740 --> 00:00:01,940
Now,

2
00:00:01,940 --> 00:00:05,080
what about a hybrid cloud scenario in which you're doing directory

3
00:00:05,080 --> 00:00:08,900
synchronization from your local Active Directory Domain into Azure

4
00:00:08,900 --> 00:00:12,820
AD? Azure AD has a really nifty feature called Password Protection,

5
00:00:12,820 --> 00:00:14,290
and this, as you can see,

6
00:00:14,290 --> 00:00:18,830
I know the screenshot is a bit small, allows you to do lockouts, that if an

7
00:00:18,830 --> 00:00:23,530
account is locked out after a certain number of failed attempts,

8
00:00:23,530 --> 00:00:24,540
there's a duration.

9
00:00:24,540 --> 00:00:24,790
Again,

10
00:00:24,790 --> 00:00:29,950
the idea with lockout is not to needlessly raise your support ticket volume

11
00:00:29,950 --> 00:00:33,270
and give your support desk people more work to do, instead,

12
00:00:33,270 --> 00:00:38,510
it's to prevent malicious people from trying to brute force and try millions

13
00:00:38,510 --> 00:00:41,860
of password attempts to sign into one of your systems.

14
00:00:41,860 --> 00:00:46,550
The idea is if they hit a lockout duration for every 10 failed sign‑ins,

15
00:00:46,550 --> 00:00:50,420
that will be too much time and too much work and too much effort, and so

16
00:00:50,420 --> 00:00:52,380
they will be discouraged and they'll move on.

17
00:00:52,380 --> 00:00:53,290
That's the idea.

18
00:00:53,290 --> 00:00:55,490
But the main thing about Password Protection,

19
00:00:55,490 --> 00:00:59,150
if you turn it on in your Azure AD tenant, is you can develop what's

20
00:00:59,150 --> 00:01:03,280
called a custom banned password list. Let's say that you make widgets as

21
00:01:03,280 --> 00:01:06,490
part of your company and you've got different widget products. You don't

22
00:01:06,490 --> 00:01:10,600
want any of your users' passwords, including any part of those names, or

23
00:01:10,600 --> 00:01:13,280
your organization names, your department names,

24
00:01:13,280 --> 00:01:18,020
you can develop the static list. And there's also a bunch of other logic

25
00:01:18,020 --> 00:01:22,930
built in to where you can't try to fool around by using your company

26
00:01:22,930 --> 00:01:29,350
name doing letter substitution, like an @ sign for a, or a $ for s; the

27
00:01:29,350 --> 00:01:33,510
Password Protection in Azure AD is smart enough to recognize those kind

28
00:01:33,510 --> 00:01:34,880
of variants. And again,

29
00:01:34,880 --> 00:01:38,050
it's probably small on your screen, but there's a yes/no down

30
00:01:38,050 --> 00:01:40,660
there at the bottom of this screenshot that says password

31
00:01:40,660 --> 00:01:44,040
protection for Windows Server Active Directory that can either

32
00:01:44,040 --> 00:01:46,010
run in audit or enforced mode.

33
00:01:46,010 --> 00:01:48,910
And this means if you're doing directory synchronization,

34
00:01:48,910 --> 00:01:53,420
you can extend your Password Protection to on‑premises. And I

35
00:01:53,420 --> 00:01:56,820
say it assumes directory synchronization; you don't technically

36
00:01:56,820 --> 00:01:58,910
need to be using Azure AD Connect,

37
00:01:58,910 --> 00:02:03,720
but I'm presuming you're doing so if you are in a hybrid identity situation.

38
00:02:03,720 --> 00:02:07,780
Long story short, to enable Azure AD Password Protection on‑prem,

39
00:02:07,780 --> 00:02:11,620
it's going to involve installing some proxy services on two or more member

40
00:02:11,620 --> 00:02:15,760
servers locally, and these are just going to communicate over the internet to

41
00:02:15,760 --> 00:02:20,230
the Azure AD endpoints, called the Azure AD Password Protection Proxy, and

42
00:02:20,230 --> 00:02:21,820
you want more than one of those, again,

43
00:02:21,820 --> 00:02:24,570
for high availability. And on your domain controllers,

44
00:02:24,570 --> 00:02:28,910
you'll install an agent password filter DLL, and then you've got

45
00:02:28,910 --> 00:02:32,670
just with web services, whenever a user attempts a password change,

46
00:02:32,670 --> 00:02:36,290
those passwords are going to be filtered against not only your

47
00:02:36,290 --> 00:02:40,320
local Active Directory Password Policy and potentially fine‑grained

48
00:02:40,320 --> 00:02:41,410
password policies,

49
00:02:41,410 --> 00:02:46,040
but also your Azure AD Password Protection and custom banned password list.

50
00:02:46,040 --> 00:02:46,630
And lastly,

51
00:02:46,630 --> 00:02:51,660
those password policies are replicated via DFSR replication in the SYSVOL

52
00:02:51,660 --> 00:02:56,050
folder. There's a couple different ways to configure SYSVOL replication, and

53
00:02:56,050 --> 00:03:04,000
Azure AD Password Protection does require that you're using DFSR. Check the exercise files for some more guidance on that.