How is Azure AD Password Protection configured?

This is my follow-up to my previous blog on how Azure AD Password Protection and Smart Lockout works, for more information on this you can visit my previous blog.

To get started you will need to configure the password protection for your tenant by first:

Browse to your azure portal and then navigating to Azure AD Active Directory > Security > Authentication methods. Here you will see a screen that looks like this:

Now you get to customise your settings:

  • Firstly you need to set your custom lockout threshold and the duration of the lockout.
  • Secondly you get to choose the custom banned passwords for your company in the textbox provided (remember to also turn on enforcement of your list)
  • Thirdly you have the option to extend your bad password policy to your on premise AD (we would recommend this). If you start by clicking the ‘audit’ setting this will provide you with an opportunity to see the current state of passwords in your organisation, once you would like to finalise this simply change this to the ‘Enforced’ setting.

Now you need to install the Azure AD password protection policy and domain controller agents in your on-premise environment. To do this you can download the agents here. Both the domain controller agent and the proxy agent have the silent installation feature meaning this can be used via different deployment methods such as SCCM.