1
00:00:01,040 --> 00:00:04,840
Lastly, I want to show you where to find Azure AD Password Protection in

2
00:00:04,840 --> 00:00:08,130
the Azure portal because it's kind of tucked off to the side, it's a bit

3
00:00:08,130 --> 00:00:11,760
difficult to find. So, in the Azure portal, you want to go to your Azure

4
00:00:11,760 --> 00:00:14,910
Active Directory tenant, and then in the Settings, you'll want to come down

5
00:00:14,910 --> 00:00:19,170
to Security down here. The Security blade loads up, and then you'll want to

6
00:00:19,170 --> 00:00:24,210
go to Authentication methods under Manage, and then lastly, we have, under

7
00:00:24,210 --> 00:00:24,730
Manage,

8
00:00:24,730 --> 00:00:29,290
we have Password Protection, and this ultimately gets you to where I showed

9
00:00:29,290 --> 00:00:33,420
you in the screenshot where you've got your custom password list and then

10
00:00:33,420 --> 00:00:38,220
whether you want to enable Azure AD Password Protection for local AD. And

11
00:00:38,220 --> 00:00:41,980
Microsoft's official guidance is to start in audit mode, so you don't

12
00:00:41,980 --> 00:00:46,160
create a denial of service, just track and see what happens. That will tell you,

13
00:00:46,160 --> 00:00:49,920
for example, if a local or Azure AD password change would have

14
00:00:49,920 --> 00:00:53,420
failed validation or not, and you can see and track that down and

15
00:00:53,420 --> 00:00:55,320
maybe talk with the user or whatever.

16
00:00:55,320 --> 00:00:55,520
Oh,

17
00:00:55,520 --> 00:00:59,900
I almost forgot. If I go back to the Group Policy Management console and

18
00:00:59,900 --> 00:01:04,440
we take a look at our custom policy that we created, and we linked to the

19
00:01:04,440 --> 00:01:10,600
domain workstation's OU, we can select the GPO, go to Details, and this

20
00:01:10,600 --> 00:01:14,410
is where you can configure that selective disablement that I told you

21
00:01:14,410 --> 00:01:15,770
about, where by default,

22
00:01:15,770 --> 00:01:19,500
both the Computer Configuration and User Configuration Settings

23
00:01:19,500 --> 00:01:21,740
are enabled. But notice that we can choose,

24
00:01:21,740 --> 00:01:31,000
for example, User Configuration settings disabled to disable those and just have the Computer Configuration applied in that GPO.