1
00:00:01,440 --> 00:00:05,170
Going further, I had mentioned that a current trend or the current

2
00:00:05,170 --> 00:00:09,950
trend with passwords is to have fewer password changes, but better

3
00:00:09,950 --> 00:00:16,170
password choice by your user. We can implement Azure AD Password

4
00:00:16,170 --> 00:00:20,800
Protection to protect our on‑premises users and ensure that they

5
00:00:20,800 --> 00:00:22,190
are doing just that.

6
00:00:22,190 --> 00:00:25,140
In other words, choosing a strong password.

7
00:00:25,140 --> 00:00:28,120
Azure AD Password Protection is a cloud service that

8
00:00:28,120 --> 00:00:31,300
prevents password changes to weak passwords.

9
00:00:31,300 --> 00:00:34,040
How do you identify a weak password?

10
00:00:34,040 --> 00:00:38,400
Well, you know that in Group Policy you can do your basic complexity,

11
00:00:38,400 --> 00:00:43,260
uppercase, lowercase, alphanumeric, non‑alphanumeric kind of thing.

12
00:00:43,260 --> 00:00:45,890
But I'm talking about a somewhat different approach where you've

13
00:00:45,890 --> 00:00:51,000
got those baseline properties, but Azure AD Password Protection is

14
00:00:51,000 --> 00:00:54,040
based on the banned password list.

15
00:00:54,040 --> 00:00:59,140
Now, there's a global list that Microsoft curates, and they do not publish that

16
00:00:59,140 --> 00:01:03,560
because they don't want to give any hints to malicious entities, and then

17
00:01:03,560 --> 00:01:07,640
there's custom lists that are administrator‑defined.

18
00:01:07,640 --> 00:01:11,370
So the long story short with password protection is you

19
00:01:11,370 --> 00:01:14,660
can add to your own custom list. Let's say that you're a

20
00:01:14,660 --> 00:01:16,430
business that makes widgets.

21
00:01:16,430 --> 00:01:22,390
You've got widget A, widget B, widget C. And by adding those keywords to

22
00:01:22,390 --> 00:01:27,210
your custom list, that would prevent a user from creating a password that

23
00:01:27,210 --> 00:01:30,070
includes any of those keywords. You know,

24
00:01:30,070 --> 00:01:35,330
because the idea is that any well‑known string value is going to be probably

25
00:01:35,330 --> 00:01:40,130
among the first tries a malicious entity will use if they're attempting to

26
00:01:40,130 --> 00:01:44,670
breach an account. And we'll see this more in the demo, but Azure AD

27
00:01:44,670 --> 00:01:47,650
Password Protection also can branch out.

28
00:01:47,650 --> 00:01:53,110
So if you had a custom list with an entry of widget,

29
00:01:53,110 --> 00:01:57,240
you don't have to think of all these alternate spellings of the word,

30
00:01:57,240 --> 00:02:01,620
Password Protection can naturally branch out to cover variants.

31
00:02:01,620 --> 00:02:02,280
Similarly,

32
00:02:02,280 --> 00:02:06,970
it picks up traditional weak passwords. You know how every year various

33
00:02:06,970 --> 00:02:11,820
tech companies publish the top weakest passwords in the world? Well, you

34
00:02:11,820 --> 00:02:16,140
can rest assured that Azure AD Password Protection in the global list

35
00:02:16,140 --> 00:02:18,750
already has those, including all variants,

36
00:02:18,750 --> 00:02:22,830
including things like substituting a dollar sign for S.

37
00:02:22,830 --> 00:02:26,650
What would be another one, common one, a 1 for an I,

38
00:02:26,650 --> 00:02:28,010
all of that kind of stuff.

39
00:02:28,010 --> 00:02:31,260
So users aren't going to be able to get away with that kind of

40
00:02:31,260 --> 00:02:33,840
shenanigans when they change their password.

41
00:02:33,840 --> 00:02:36,420
Now if your environment exists only in Azure,

42
00:02:36,420 --> 00:02:39,100
Azure AD Password Protection is free to use.

43
00:02:39,100 --> 00:02:39,950
However,

44
00:02:39,950 --> 00:02:43,180
if you're hybrid cloud, you're going to need to ensure that any users

45
00:02:43,180 --> 00:02:47,710
who are covered by Azure AD Password Protection have either an Azure

46
00:02:47,710 --> 00:02:53,970
AD Premium P1 or P2 license. For the exam, we need to go a little bit

47
00:02:53,970 --> 00:02:55,790
deeper on password protection.

48
00:02:55,790 --> 00:02:58,310
So this is a topology diagram,

49
00:02:58,310 --> 00:03:02,190
just a reference topo, that I created in Lucidchart. Let's start

50
00:03:02,190 --> 00:03:05,700
at the left and work our way to the right. On the left side, we

51
00:03:05,700 --> 00:03:10,860
have our Azure environment where an Azure administrator sets up

52
00:03:10,860 --> 00:03:13,100
the password protection, the lists,

53
00:03:13,100 --> 00:03:17,770
etc. Those are associated with your company's Azure Active

54
00:03:17,770 --> 00:03:22,510
Directory tenant. Now, notice that we go over the internet between

55
00:03:22,510 --> 00:03:26,430
Azure and your local on‑premises environment at right. There is not

56
00:03:26,430 --> 00:03:31,620
a restriction or a limitation such that you need either a VPN or an

57
00:03:31,620 --> 00:03:32,820
ExpressRoute circuit.

58
00:03:32,820 --> 00:03:37,460
We're just going over the internet with TCP 443. Check the docs,

59
00:03:37,460 --> 00:03:40,540
there may be a couple additional ports necessary.

60
00:03:40,540 --> 00:03:42,880
It's always a good idea to check those docs.

61
00:03:42,880 --> 00:03:46,640
I gave you the appropriate links in the exercise files. But the

62
00:03:46,640 --> 00:03:50,570
main part I want you to see for the exam is, number one, when you

63
00:03:50,570 --> 00:03:52,990
deploy Azure AD Password Protection,

64
00:03:52,990 --> 00:03:58,090
you're going to need to deploy the client‑side service on two servers

65
00:03:58,090 --> 00:04:02,200
at the very least. You're going to install the Password Protection

66
00:04:02,200 --> 00:04:08,570
proxy service on a member server, and then there's a filter DLL that

67
00:04:08,570 --> 00:04:11,140
will be on your domain controllers.

68
00:04:11,140 --> 00:04:15,840
The way that Microsoft architected this is that you cannot have

69
00:04:15,840 --> 00:04:20,720
the domain controller directly proxying requests from Azure. You

70
00:04:20,720 --> 00:04:23,440
have to have a separation of duties.

71
00:04:23,440 --> 00:04:24,390
So, like I said,

72
00:04:24,390 --> 00:04:29,230
the communication between on‑prem domain and Azure AD is going to be

73
00:04:29,230 --> 00:04:33,320
through that proxy that you have installed on one or more domain member

74
00:04:33,320 --> 00:04:38,190
servers, and then the actual password processing takes place in conjunction

75
00:04:38,190 --> 00:04:47,000
with the Azure AD Password Protection filter DLL and is replicated to other domain controllers using SYSVOL.