Share via

Azure Active Directory password protection banned list not working

Anthony Leveritt 0 Reputation points
2023-07-07T12:28:26.2633333+00:00

For some reason we are not able to get our on-prem password protection to work. We have the latest agent installed on all of our DCs and the proxy is installed on a separate non-DC server. There don't seem to be any error messages in event viewer. I can see where the password changes are being successful even when I'm using words that should be banned. Most of the words have been in the list 24+ hours. I also ran TestAll on the proxy and it passed on VerifyTLSConfiguration, VerifyProxyRegistration and VerifyAzureConnectivity. What am I missing here? What else can I check / try to get this working?

I also ran these tests:

PS C:\Windows\system32> Get-AzureADPasswordProtectionSummaryReport

DomainController : dcname1

PasswordChangesValidated : 881

PasswordSetsValidated : 679

PasswordChangesRejected : 44

PasswordSetsRejected : 12

PasswordChangeAuditOnlyFailures : 6

PasswordSetAuditOnlyFailures : 0

PasswordChangeErrors : 0

PasswordSetErrors : 0

DomainController : dcname2

PasswordChangesValidated : 763

PasswordSetsValidated : 1005

PasswordChangesRejected : 29

PasswordSetsRejected : 10

PasswordChangeAuditOnlyFailures : 0

PasswordSetAuditOnlyFailures : 0

PasswordChangeErrors : 0

PasswordSetErrors : 2

DomainController : dcname3

PasswordChangesValidated : 0

PasswordSetsValidated : 0

PasswordChangesRejected : 0

PasswordSetsRejected : 0

PasswordChangeAuditOnlyFailures : 0

PasswordSetAuditOnlyFailures : 0

PasswordChangeErrors : 0

PasswordSetErrors : 0

PS C:\Windows\system32> Test-AzureADPasswordProtectionDCAgentHealth -TestAll

DiagnosticName Result AdditionalInfo

VerifyPasswordFilterDll Passed

VerifyForestRegistration Passed

VerifyEncryptionDecryption Passed

VerifyDomainIsUsingDFSR Passed

VerifyAzureConnectivity Passed

PS C:\Windows\system32>

Microsoft Security | Microsoft Entra | Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator
    2023-07-10T06:59:19.1033333+00:00

    @Anthony Leveritt Thank you for reaching out to us, As I understand you are trying to deploy Azure AD Password Protection feature and the same is not working as expected.

    To start the troubleshooting, would like to check type of mode it is deployed audit or enforced mode ? - https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-operations#:~:text=select%20Save.-,Modes%20of%20operation,-When%20you%20enable

    Would request you to go through these steps of Password testing procedures as mentioned here - https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-faq#password-testing-procedures:~:text=AD%20Password%20Protection.-,Password%20testing%20procedures,-You%20may%20want

    If the above information doesnt help to resolve this issue, let me know we can connect offline and troubleshoot this issue further.

    You can send us an email on azcommunity [at] microsoft [dot] com referencing this issue with a subject line "ATTN:Givary" and link of this QnA post as a reference.

    Regards

    Girish

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.