To guarantee consistent behavior and universal Azure AD Password Protection security enforcement, the DC agent software must be installed on all DCs in a domain. It's not possible to control which DCs are chosen by Windows client machines for processing user password changes.
The Azure AD Password Protection DC agent software can only validate passwords when it's installed on a DC, and only for password changes that are sent to that DC. It's important to understand what this really means and what the tradeoffs are.
The software doesn't create or require accounts in the AD DS domains that it protects.
Any supported AD DS domain or forest functional level can be used.The software uses the existing AD DS container and serviceConnectionPoint schema objects. No new network ports are opened on DCs.Domain controllers (DCs) never have to communicate directly with the internet.Design principlesĪzure AD Password Protection is designed with the following principles in mind: These checks are performed during password changes and password reset events against on-premises Active Directory Domain Services (AD DS) domain controllers. On-premises deployment of Azure AD Password Protection uses the same global and custom banned password lists that are stored in Azure AD, and does the same checks for on-premises password changes as Azure AD does for cloud-based changes. Azure AD Password Protection detects and blocks known weak passwords and their variants, and can also block additional weak terms that are specific to your organization.
0 kommentar(er)
