1 00:00:01,040 --> 00:00:05,660 Let me turn off the account lockout policy here and click OK. 2 00:00:05,660 --> 00:00:09,560 I just want to keep that at the password level. So there is our 3 00:00:09,560 --> 00:00:12,400 Password Settings object, pretty easy to do. 4 00:00:12,400 --> 00:00:16,740 It's been a mature technology in Windows Server for a long time. 5 00:00:16,740 --> 00:00:21,040 Lastly, let's turn our attention to Azure AD Password Protection. 6 00:00:21,040 --> 00:00:24,940 This, of course, is going to require that you have an Azure subscription. 7 00:00:24,940 --> 00:00:26,290 So, what we can do, 8 00:00:26,290 --> 00:00:29,980 let me actually start at the beginning. In the Azure portal, 9 00:00:29,980 --> 00:00:34,930 portal.azure.com, you can browse to your Azure Active Directory tenant. 10 00:00:34,930 --> 00:00:38,160 You can easily find it just by searching Active Directory. 11 00:00:38,160 --> 00:00:41,340 I have it here in my Recent services list. 12 00:00:41,340 --> 00:00:42,060 Unfortunately, 13 00:00:42,060 --> 00:00:47,780 Azure AD Password Protection is kind of hidden in the Azure AD interface. 14 00:00:47,780 --> 00:00:52,480 What we want to do here is go down to Security, right here, and then in 15 00:00:52,480 --> 00:00:55,680 the Security blade we want to go to, let's see, see, 16 00:00:55,680 --> 00:00:59,220 I'm still stuck, there we go, Authentication methods, and 17 00:00:59,220 --> 00:01:01,950 then lastly we have Password protection. 18 00:01:01,950 --> 00:01:06,240 Now, I want you to understand that unfortunately there is not an 19 00:01:06,240 --> 00:01:10,920 indication that there's more work to be done. Specifically, we want to 20 00:01:10,920 --> 00:01:15,840 protect our on‑premises Active Directory Domain Services domain, and you 21 00:01:15,840 --> 00:01:19,290 can see right down at the bottom we have Password protection for Windows 22 00:01:19,290 --> 00:01:20,840 Server Active Directory. 23 00:01:20,840 --> 00:01:21,550 Yes, 24 00:01:21,550 --> 00:01:25,710 you notice that I switched that from No to Yes. And then for your enforcement 25 00:01:25,710 --> 00:01:30,130 mode you can perhaps start with Audit and then check the Azure Active 26 00:01:30,130 --> 00:01:34,400 Directory audit logs to see how it's behaving when users change their 27 00:01:34,400 --> 00:01:37,830 passwords, or if you're ready to enforce those rules, 28 00:01:37,830 --> 00:01:42,120 you can flip it there and then save your change. Now, 29 00:01:42,120 --> 00:01:42,810 like I said, 30 00:01:42,810 --> 00:01:47,300 there's more to this. Let me actually come over here. You're going to need to 31 00:01:47,300 --> 00:01:52,250 download and install the Azure AD Password Protection agents and install those 32 00:01:52,250 --> 00:01:54,930 on at least two servers in your local environment. 33 00:01:54,930 --> 00:01:58,400 Now, again, no VPN, no ExpressRoute required. 34 00:01:58,400 --> 00:02:02,210 You can come to this Microsoft Download Center page just by doing a 35 00:02:02,210 --> 00:02:07,550 Google search like I did for Azure AD Password Protection agents. And 36 00:02:07,550 --> 00:02:09,300 it's a free download, and as you'll see, 37 00:02:09,300 --> 00:02:14,440 there's a separate installer for the proxy and the domain controller agent. 38 00:02:14,440 --> 00:02:18,080 Now you'll probably want to install this service on redundant servers for high 39 00:02:18,080 --> 00:02:22,450 availability, but remember what I said earlier, that the DC, 40 00:02:22,450 --> 00:02:26,290 the domain controller agent, is what installs that filter DLL, 41 00:02:26,290 --> 00:02:31,320 but the actual connectivity between Azure and on‑prem has to be 42 00:02:31,320 --> 00:02:34,980 on a member server, and that's the purpose of the Azure AD 43 00:02:34,980 --> 00:02:37,740 Password Protection proxy setup. 44 00:02:37,740 --> 00:02:39,390 So don't forget about that step. 45 00:02:39,390 --> 00:02:42,040 They communicate right over the internet. 46 00:02:42,040 --> 00:02:42,900 And then lastly, 47 00:02:42,900 --> 00:02:47,080 you can configure the Azure AD Password Protection service here back 48 00:02:47,080 --> 00:02:51,200 in the portal by doing things like these are some account lockout 49 00:02:51,200 --> 00:02:54,780 settings here that are similar to the ones that we might have 50 00:02:54,780 --> 00:02:57,640 configured in our Group Policy object. 51 00:02:57,640 --> 00:02:59,480 And then as I told you earlier, 52 00:02:59,480 --> 00:03:03,940 there's the Microsoft‑curated banned passwords list that you don't get to see 53 00:03:03,940 --> 00:03:07,270 and then there's the custom list which you do get to create. 54 00:03:07,270 --> 00:03:08,390 And as you can see here, 55 00:03:08,390 --> 00:03:12,780 my fictional company Contoso is located in Nashville, Tennessee, and 56 00:03:12,780 --> 00:03:16,540 let's say our main line of business app is called lobapp. 57 00:03:16,540 --> 00:03:22,630 We've got timwinfo, so these are administrator‑created banned passwords, and 58 00:03:22,630 --> 00:03:27,380 this is going to ideally improve the password strength of your users because 59 00:03:27,380 --> 00:03:31,890 they won't be able to include any variation of these strings in their 60 00:03:31,890 --> 00:03:34,540 passwords when they change their passwords. 61 00:03:34,540 --> 00:03:35,940 Again, as I said, 62 00:03:35,940 --> 00:03:39,290 Microsoft is smart enough in their algorithm to do simple 63 00:03:39,290 --> 00:03:42,290 substitution, so you don't have to worry about Contoso 64 00:03:42,290 --> 00:03:43,930 with an upper and lowercase, 65 00:03:43,930 --> 00:03:49,230 you can just specify one and Password Protection would apply the same 66 00:03:49,230 --> 00:03:53,390 protection, that is it would deny the password change if a user tried 67 00:03:53,390 --> 00:03:58,180 to use part or all of the string contoso with a lowercase c or some 68 00:03:58,180 --> 00:04:00,340 other casing. You see what I mean? 69 00:04:00,340 --> 00:04:00,830 So, again, 70 00:04:00,830 --> 00:04:08,000 pretty straightforward here at this point, and that is Azure AD Password Protection in a nutshell.