This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 93%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERS%3C/text%3E%3C/svg%3E)
Hi Team,
We are looking implement on-premised entra password protection and following document and we have a question before we can proceed further.
We want to understand if password is sent from On-premises AD to Azure AD?
Sandeep
Hi Sandeep,
Based on the provided documentation, the actual password validation happens locally within the on-premises environment using the banned password lists obtained from Azure. The passwords themselves are not sent to Azure AD for validation. The communication with Azure is primarily for the proxy service to download the banned password lists, which are then used by the DC agent during password change events.
Hope this helps.
Please upvote, if this answer helped you.
Hi Sandeep,
Based on the provided documentation, the actual password validation happens locally within the on-premises environment using the banned password lists obtained from Azure. The passwords themselves are not sent to Azure AD for validation. The communication with Azure is primarily for the proxy service to download the banned password lists, which are then used by the DC agent during password change events.
Hope this helps.
Hi Sandeep,
The Proxy service's role is to relay requests for password policy downloads from the Domain Controllers (DCs) to Microsoft Entra Identity Directory, and then to channel back the responses to the DCs.
Within this framework, the DC Agent's password filter DLL is tasked with managing password validation requests originating from the OS, which it then forwards to the local DC's DC Agent service.
Subsequently, the DC Agent service evaluates these requests against the available password policy stored locally and decides whether they pass or fail.
Given that the document doesn't directly answer your query regarding the policy download frequency, we can infer based on common practices that these policies are likely not retrieved at each instance of a password reset. This approach minimizes unnecessary network use and increases system efficiency.
Normally, such policies would be expected to refresh at predetermined intervals or upon policy changes. The specifics of these intervals or triggers could vary based on Microsoft's proprietary configuration settings or might be adaptable to accommodate the needs of different organizational IT infrastructures.
Furthermore, direct engagement with their support team would be advisable, as they could provide more granular details or guidance on managing synchronization timings and policy update triggers.
Happy day ahead.
Regards,
Dr. Gomathi S
Hi Dr Gomathi,
Thanks a lot for taking time to answer my query.
Thank you.
Sandeep
Hi Dr Gomathi,
Thanks for quick answer. I have a followup question. How often does the proxy download policies from Azure AD? Does it download during every password resets?
Documents mentions how it works, but doesn't mention anywhere if policies are downloaded to DC, so I was confused. It is not very clear in the document.
Sandeep
As is always the way, there are multiple documents which seem to say much the same thing, but often have extra snippets of goodness in them. In this case, Sandeep, I think https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad-on-premises#how-microsoft-entra-password-protection-works includes the fact that the DC agent will request a new copy of the policy if the existing one is older than an hour. So, I guess, if you have password set/change events relatively rarely (i.e. more than an hour apart), it will get a new policy each time, but if you have lots of events happening all the time, then you'll just get a new policy every hour.
The docs also say that if no policy is available, then passwords will be accepted unvalidated - however, what isn't clear is whether the DC will immediately discard a policy which is older than an hour. In other words, if it decides the current policy is old and it should get a new policy, but there's a problem with the proxy service, so can't get a new copy, will it the password with the old policy, or discard the old policy (because it is > 1 hour old) and accept the password without validation.