question

SenhorDolas-2197 avatar image
0 Votes"
SenhorDolas-2197 asked SenhorDolas-2197 commented

Azure AD Password Protection in Audit Mode - DC's not recording pw changes

Hi
I installed my agents on a proxy server and on one DC (not my PDC)
I noticed that only the password changes made against that DC are recorded when I run Get-AzureADPasswordProtectionSummaryReport script...
I remember reading that the DC agent is not required to be installed on all DC's so wondering why my numbers are so low.
I tested this by changing password on ADUC connected to the agent DC and then connect to another DC. only the entry from the agent DC come up...
Thanks

azure-ad-password-protection
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@sikumars-msft + @vipulsparsh-MSFT
Please can you assist on this one?

0 Votes 0 ·
JamesTran-MSFT avatar image
1 Vote"
JamesTran-MSFT answered SenhorDolas-2197 commented

@SenhorDolas-2197
I'm doing well, how're you doing?! It's great to work with you again, we previously worked together on your Azure AD Password Protection installation question!


After doing some more research and reading the blog post, the meaning behind this statement - It is not necessary that all the DCs are able to communicate with the Azure AD Password Protection Proxy Server..., is that at least one DC per domain needs to be able to communicate with the Azure AD Password Protection Proxy Service to take the new Password policy, but you'll need to install the DC Agent on all DC's in the domain if you want to secure the domain. For more info.
143489-image.png


Referencing the How Does It Work flow, for when a user requests a password change to a DC:

  • The DC Agent Password Filter dll from the OS - receives the password validation requests, and forwards them to the Azure AD Password Protection DC Agent, installed on the DC. This Agent then validates if the password is compliant with the locally stored Azure password policy.

With this flow and the author's comment in mind, the Azure AD Password Protection DC Agent is used to take the new Password policy from the Sysvol replication of the Azure AD Password Protection Proxy Server, to ensure the password change request is compliant with the policy.


However, the Get-AzureADPasswordProtectionSummaryReport cmdlet, produces its output by querying the DC agent admin event log, and this Admin event log, should only belong to that specific DC's events, which is why you're only getting the entry from the agent DC to come up.


I hope this makes sense! I spoke to @MarileeTurscak-MSFT offline and we both think this is the issue. But since the blog post author is internal to Microsoft, we've also reached out to see if this can be confirmed and will escalate it to our PG team, if needed.


If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.


image.png (42.7 KiB)
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@SenhorDolas-2197
Thank you for your time and patience throughout this issue!

We received an update from the author of the blog post, and if you've only installed the DC agent on 1 DC - the Get-AzureADPasswordProtectionSummaryReport will read events only from that DC.


If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

1 Vote 1 ·

Thanks @JamesTran-MSFT
Appreciate the lenght of yours and @MarileeTurscak-MSFT efforts to get me sorted.

I will install the agent on many more DC's then. Can I have more than 1 x proxy server also?

Please can we have the documentation adjusted to make clear that the password will only be validated on a DC with the agent installed. The .dll file replicated lead me to believe all would do this.

Again Many many thanks to you all.
M

0 Votes 0 ·

Thank you for the follow up on this!

Based off our Azure Active Directory Password Protection documentation, it looks like you can have multiple Azure AD Password Protection Proxy Services work together. For more info.
145800-image.png
Azure AD Password Protection proxy service


I've also created a GitHub issue and PR to update our documentation.


If you have any other questions, please let me know.
Thank you again for your time and patience throughout this issue.

0 Votes 0 ·
image.png (42.8 KiB)
Show more comments
MarileeTurscak-MSFT avatar image
1 Vote"
MarileeTurscak-MSFT answered SenhorDolas-2197 commented

This appears to be expected behavior. Based on this Microsoft blog, the DC agent needs to be installed on every DC in your domain if you want the password protection logs.

The official guide says, "The Azure AD Password Protection DC agent software can only validate passwords when it's installed on a DC, and only for password changes that are sent to that DC."

Where did you read that the DC agent does not need to be installed on all DCs? If this is stated somewhere, this may be a documentation error.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@MarileeTurscak-MSFT @JamesTran-MSFT
Hi guys. Thanks for helping me with this one.
I read this on that same blog:
It is not necessary that all the DCs are able to comunicate with the Azure AD Password Protection Proxy Server, if you have a very complex Active Directory environments, you can configure a minimum of one DC per domain to be able to connect to the AAD Password Protection Proxy Servers, and the other DCs will take the new policy from the Sysvol replication.

If this is incorrect please let me know as I need to adjust my deployment!

Thanks M

0 Votes 0 ·
JamesTran-MSFT avatar image
1 Vote"
JamesTran-MSFT answered SenhorDolas-2197 commented

@SenhorDolas-2197
Thank you for your post and we apologize for the delayed response!

Adding onto @MarileeTurscak-MSFT 's answer - the DC agent needs to be installed on every DC in your domain if you want the password protection logs.

When it comes to the Password validation summary reporting via PowerShell ( Get-AzureADPasswordProtectionSummaryReport ), this cmdlet works by remotely querying each DC Agent admin event log; which could explain why you're only receiving the entry from the DC with the agent installed.


If you have any other questions, please let us know.
Thank you for your time and patience throughout this issue.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@JamesTran-MSFT
Please clarify if it is required to have the DC agent on all DC’s so I can get the password validation and reports?
How are you anyway? You helped me with this same deployment before and I helped with the documentation update. (I think)

0 Votes 0 ·

@JamesTran-MSFT

I am sorted with this question but would you be able to send me a pm please? I need to ask you about another question (unrelated to this subject).

Thanks

0 Votes 0 ·