Questions regarding https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad

Shinde, Balaji 116 Reputation points
2023-01-18T13:24:11.3433333+00:00

Hi Team,

We have an Azure tenant, our on-prem AD is synced with this azure tenant AD and also the password write back is enabled, now we want to enable banned password list for both Azure AD and On-prem.

I have a question regarding this:

  1. if we enable feature in Azure AD, will this affect our on-prem users synced to Azure AD or it will affect only the member accounts created directly in Azure?
  2. We have password write-back enabled, so when on-prem synced user tries to reset his password using Azure portal, will the banned password feature come into play?

If in both scenarios its not going to affect for on-prem synced users, I can go ahead and install agents for on-prem AD to use this feature.

I am asking this because we don't have any test tenant where on-prem users are synced and has premium license.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,532 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,595 questions
0 comments No comments
{count} votes

Accepted answer
  1. Andy David - MVP 137.9K Reputation points MVP
    2023-01-18T13:49:01.6066667+00:00

    Hi, its applied to ALL users in the Azure tenant - including synced ones.

    I assume you are also syncing password hashes from on-prem.

    When a password is changed or reset for any user in an Azure AD tenant, the current version of the global banned password list is used to validate the strength of the password. This validation check results in stronger passwords for all Azure AD customers.

    Yes, if the change is being made in Azure, it will apply.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Thameur-BOURBITA 28,471 Reputation points
    2023-01-21T16:37:44.2933333+00:00

    Hi @Shinde, Balaji

    1. if we enable feature in Azure AD, will this affect our on-prem users synced to Azure AD or it will affect only the member accounts created directly in Azure?

    You can extend the security benefits of Azure AD Password Protection into your AD DS environment, you have to install agent on all your on-premises domain controller.

    How Azure AD Password Protection components work together

    1. We have password write-back enabled, so when on-prem synced user tries to reset his password using Azure portal, will the banned password feature come into play?

    Yes , if you enabled password hash synchronization,this feature will also be applied on synchronized user in hybrid environment if he try to change his password through azure portal

    For more details in invite you to read the following links:

    On-premises hybrid scenarios

    Enforce on-premises Azure AD Password Protection for Active Directory Domain Service

    Please don't forget to mark helpful answer as accepted