Azure AD Password Protection in Audit Mode - DC's not recording pw changes

SenhorDolas 1,126 Reputation points
2021-10-14T10:30:01.84+00:00

Hi
I installed my agents on a proxy server and on one DC (not my PDC)
I noticed that only the password changes made against that DC are recorded when I run Get-AzureADPasswordProtectionSummaryReport script...
I remember reading that the DC agent is not required to be installed on all DC's so wondering why my numbers are so low.
I tested this by changing password on ADUC connected to the agent DC and then connect to another DC. only the entry from the agent DC come up...
Thanks

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,090 questions
{count} votes

Accepted answer
  1. JamesTran-MSFT 36,336 Reputation points Microsoft Employee
    2021-10-25T18:06:23.517+00:00

    @SenhorDolas
    I'm doing well, how're you doing?! It's great to work with you again, we previously worked together on your Azure AD Password Protection installation question!

    After doing some more research and reading the blog post, the meaning behind this statement - It is not necessary that all the DCs are able to communicate with the Azure AD Password Protection Proxy Server..., is that at least one DC per domain needs to be able to communicate with the Azure AD Password Protection Proxy Service to take the new Password policy, but you'll need to install the DC Agent on all DC's in the domain if you want to secure the domain. For more info.
    143489-image.png

    Referencing the How Does It Work flow, for when a user requests a password change to a DC:

    • The DC Agent Password Filter dll from the OS - receives the password validation requests, and forwards them to the Azure AD Password Protection DC Agent, installed on the DC. This Agent then validates if the password is compliant with the locally stored Azure password policy.

    With this flow and the author's comment in mind, the Azure AD Password Protection DC Agent is used to take the new Password policy from the Sysvol replication of the Azure AD Password Protection Proxy Server, to ensure the password change request is compliant with the policy.

    However, the Get-AzureADPasswordProtectionSummaryReport cmdlet, produces its output by querying the DC agent admin event log, and this Admin event log, should only belong to that specific DC's events, which is why you're only getting the entry from the agent DC to come up.

    I hope this makes sense! I spoke to @Marilee Turscak-MSFT offline and we both think this is the issue. But since the blog post author is internal to Microsoft, we've also reached out to see if this can be confirmed and will escalate it to our PG team, if needed.

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. Marilee Turscak-MSFT 33,056 Reputation points Microsoft Employee
    2021-10-22T19:04:21.19+00:00

    This appears to be expected behavior. Based on this Microsoft blog, the DC agent needs to be installed on every DC in your domain if you want the password protection logs.

    The official guide says, "The Azure AD Password Protection DC agent software can only validate passwords when it's installed on a DC, and only for password changes that are sent to that DC."

    Where did you read that the DC agent does not need to be installed on all DCs? If this is stated somewhere, this may be a documentation error.

    1 person found this answer helpful.

  2. JamesTran-MSFT 36,336 Reputation points Microsoft Employee
    2021-10-22T19:19:32.693+00:00

    @SenhorDolas
    Thank you for your post and we apologize for the delayed response!

    Adding onto @Marilee Turscak-MSFT 's answer - the DC agent needs to be installed on every DC in your domain if you want the password protection logs.

    When it comes to the Password validation summary reporting via PowerShell ( Get-AzureADPasswordProtectionSummaryReport ), this cmdlet works by remotely querying each DC Agent admin event log; which could explain why you're only receiving the entry from the DC with the agent installed.

    If you have any other questions, please let us know.
    Thank you for your time and patience throughout this issue.

    1 person found this answer helpful.