You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/authentication/concept-resilient-controls.md
+1-1
Original file line number
Diff line number
Diff line change
@@ -204,7 +204,7 @@ User lockout can also occur if the following conditions are true:
204
204
- Your organization uses a hybrid identity solution with pass-through authentication or federation.
205
205
- Your on-premises identity systems (such as Active Directory, AD FS, or a dependent component) are unavailable.
206
206
207
-
To be more resilient, your organization should [enable password hash sync](https://docs.microsoft.com/azure/security/azure-ad-choose-authn), because it enables you to [switch to using password hash sync](https://docs.microsoft.com/azure/active-directory/hybrid/plan-connect-user-signin) if your on-premises identity systems are down.
207
+
To be more resilient, your organization should [enable password hash sync](https://docs.microsoft.com/azure/security/fundamentals/choose-ad-authn), because it enables you to [switch to using password hash sync](https://docs.microsoft.com/azure/active-directory/hybrid/plan-connect-user-signin) if your on-premises identity systems are down.
208
208
209
209
#### Microsoft recommendations
210
210
Enable password hash sync using the Azure AD Connect wizard, regardless whether your organization uses federation or pass-through authentication.
> The example msiexec command here causes an immediate reboot. To avoid that, use the `/norestart` flag.
284
+
You may omit the `/norestart` flag if you prefer to have the installer automatically reboot the machine.
286
285
287
286
The installation is complete after the DC Agent software is installed on a domain controller, and that computer is rebooted. No other configuration is required or possible.
288
287
@@ -298,10 +297,9 @@ The `Get-AzureADPasswordProtectionProxy` cmdlet may be used to query the softwar
298
297
299
298
When a newer version of the Azure AD Password Protection DC Agent software is available, the upgrade is accomplished by running the latest version of the `AzureADPasswordProtectionDCAgentSetup.msi` software package. It is not required to uninstall the current version of the DC agent software - the installer will perform an in-place upgrade. A reboot is always required when upgrading the DC agent software - this is caused by core Windows behavior.
300
299
301
-
The software upgrade may be automated using standard MSI procedures, for example: `msiexec.exe /i AzureADPasswordProtectionDCAgentSetup.msi /quiet /qn`.
300
+
The software upgrade may be automated using standard MSI procedures, for example: `msiexec.exe /i AzureADPasswordProtectionDCAgentSetup.msi /quiet /qn /norestart`.
302
301
303
-
> [!WARNING]
304
-
> The example msiexec command shown above causes an immediate reboot during the upgrade. To avoid that, use the `/norestart` flag.
302
+
You may omit the `/norestart` flag if you prefer to have the installer automatically reboot the machine.
305
303
306
304
The `Get-AzureADPasswordProtectionDCAgent` cmdlet may be used to query the software version of all currently installed DC agents in a forest.
Copy file name to clipboardExpand all lines: articles/active-directory/authentication/howto-password-ban-bad-on-premises-faq.md
+8-4
Original file line number
Diff line number
Diff line change
@@ -37,19 +37,19 @@ Not supported. Once deployed and enabled, Azure AD Password Protection doesn't d
37
37
38
38
**Q: What is the difference between a password change and a password set (or reset)?**
39
39
40
-
A password change is when a user chooses a new password after proving they have knowledge of the old password. For example, this is what happens when a user logs into Windows and is then prompted to choose a new password.
40
+
A password change is when a user chooses a new password after proving they have knowledge of the old password. For example, a password change is what happens when a user logs into Windows and is then prompted to choose a new password.
41
41
42
-
A password set (sometimes called a password reset) is when an administrator replaces the password on an account with a new password, for example by using the Active Directory Users and Computers management tool. This operation requires a high level of privilege (usually Domain Admin), and the person performing the operation usually does not have knowledge of the old password. Help-desk scenarios often do this, for instance when assisting a user who has forgotten their password. You will also see password set events when a brand new user account is being created for the first time with a password.
42
+
A password set (sometimes called a password reset) is when an administrator replaces the password on an account with a new password, for example by using the Active Directory Users and Computers management tool. This operation requires a high level of privilege (usually Domain Admin), and the person performing the operation usually does not have knowledge of the old password. Help-desk scenarios often perform password sets, for instance when assisting a user who has forgotten their password. You will also see password set events when a brand new user account is being created for the first time with a password.
43
43
44
44
The password validation policy behaves the same regardless of whether a password change or set is being done. The Azure AD Password Protection DC Agent service does log different events to inform you whether a password change or set operation was done. See [Azure AD Password Protection monitoring and logging](https://docs.microsoft.com/azure/active-directory/authentication/howto-password-ban-bad-on-premises-monitor).
45
45
46
46
**Q: Why are duplicated password rejection events logged when attempting to set a weak password using the Active Directory Users and Computers management snap-in?**
47
47
48
-
The Active Directory Users and Computers management snap-in will first try to set the new password using the Kerberos protocol. Upon failure the snap-in will make a second attempt to set the password using a legacy (SAM RPC) protocol (the specific protocols used are not important). If the new password is considered weak by Azure AD Password Protection, this will result in two sets of password reset rejection events being logged.
48
+
The Active Directory Users and Computers management snap-in will first try to set the new password using the Kerberos protocol. Upon failure, the snap-in will make a second attempt to set the password using a legacy (SAM RPC) protocol (the specific protocols used are not important). If the new password is considered weak by Azure AD Password Protection, this snap-in behavior will result in two sets of password reset rejection events being logged.
49
49
50
50
**Q: Why are Azure AD Password Protection password validation events being logged with an empty user name?**
51
51
52
-
Active Directory supports the ability to test a password to see if it passes the domain's current password complexity requirements, for example using the [NetValidatePasswordPolicy](https://docs.microsoft.com/windows/win32/api/lmaccess/nf-lmaccess-netvalidatepasswordpolicy) api. When a password is validated in this way, the testing also includes validation by password-filter-dll based products such as Azure AD Password Protection - but the user names passed to a given password filter dll will be empty. In this scenario Azure AD Password Protection will still validate the password using the currently in-effect password policy and will issue an event log message to capture the outcome, however the event log message will have empty user name fields.
52
+
Active Directory supports the ability to test a password to see if it passes the domain's current password complexity requirements, for example using the [NetValidatePasswordPolicy](https://docs.microsoft.com/windows/win32/api/lmaccess/nf-lmaccess-netvalidatepasswordpolicy) api. When a password is validated in this way, the testing also includes validation by password-filter-dll based products such as Azure AD Password Protection - but the user names passed to a given password filter dll will be empty. In this scenario, Azure AD Password Protection will still validate the password using the currently in-effect password policy and will issue an event log message to capture the outcome, however the event log message will have empty user name fields.
53
53
54
54
**Q: Is it supported to install Azure AD Password Protection side by side with other password-filter-based products?**
55
55
@@ -113,6 +113,10 @@ No. When a user's password is changed on a given non-PDC domain controller, the
113
113
114
114
In summary, deployment of the Azure AD Password Protection DC Agent service on the PDC is required to reach 100% security coverage of the feature across the domain. Deploying the feature on the PDC only does not provide Azure AD Password Protection security benefits for any other DCs in the domain.
115
115
116
+
**Q: Why is custom smart lockout not working even after the agents are installed in my on-premises Active Directory environment?**
117
+
118
+
Custom smart lockout is only supported in Azure. Changes to the custom smart lockout settings in the Azure management portal have no effect on the on-premises Active Directory environment, even with the agents installed.
119
+
116
120
**Q: Is a System Center Operations Manager management pack available for Azure AD Password Protection?**
Copy file name to clipboardExpand all lines: articles/active-directory/authentication/howto-password-ban-bad-on-premises-troubleshoot.md
+2
Original file line number
Diff line number
Diff line change
@@ -67,6 +67,8 @@ The most common root cause for the KDS service being unable to start is that the
67
67
68
68
This problem may have several causes.
69
69
70
+
1. Your DC agent(s) are running a public preview software version that has expired. See [Public preview DC agent software has expired](howto-password-ban-bad-on-premises-troubleshoot.md#public-preview-dc-agent-software-has-expired).
71
+
70
72
1. Your DC agent(s) cannot download a policy or is unable to decrypt existing policies. Check for possible causes in the above topics.
71
73
72
74
1. The password policy Enforce mode is still set to Audit. If this configuration is in effect, reconfigure it to Enforce using the Azure AD Password Protection portal. See [Enable Password protection](howto-password-ban-bad-on-premises-operations.md#enable-password-protection).
Copy file name to clipboardExpand all lines: articles/active-directory/devices/hybrid-azuread-join-plan.md
+1-1
Original file line number
Diff line number
Diff line change
@@ -135,7 +135,7 @@ Based on the scenario that matches your identity infrastructure, see:
135
135
136
136
## Review on-premises AD UPN support for Hybrid Azure AD join
137
137
138
-
Sometimes, your on-premises AD UPNs could be different from your Azure AD UPNs. In such cases, Windows 10 Hybrid Azure AD join provides limited support for on-premises AD UPNs based on the [authentication method](https://docs.microsoft.com/azure/security/azure-ad-choose-authn), domain type and Windows 10 version. There are two types of on-premises AD UPNs that can exist in your environment:
138
+
Sometimes, your on-premises AD UPNs could be different from your Azure AD UPNs. In such cases, Windows 10 Hybrid Azure AD join provides limited support for on-premises AD UPNs based on the [authentication method](https://docs.microsoft.com/azure/security/fundamentals/choose-ad-authn), domain type and Windows 10 version. There are two types of on-premises AD UPNs that can exist in your environment:
139
139
140
140
- Routable UPN: A routable UPN has a valid verified domain, that is registered with a domain registrar. For example, if contoso.com is the primary domain in Azure AD, contoso.org is the primary domain in on-premises AD owned by Contoso and [verified in Azure AD](https://docs.microsoft.com/azure/active-directory/fundamentals/add-custom-domain)
141
141
- Non-routable UPN: A non-routable UPN does not have a verified domain. It is applicable only within your organization's private network. For example, if contoso.com is the primary domain in Azure AD, contoso.local is the primary domain in on-premises AD but is not a verifiable domain in the internet and only used within Contoso's network.
Copy file name to clipboardExpand all lines: articles/active-directory/hybrid/four-steps.md
+1-1
Original file line number
Diff line number
Diff line change
@@ -106,7 +106,7 @@ To provide high availability in the event your primary Azure AD Connect server g
106
106
107
107
### Enable cloud authentication
108
108
109
-
Organizations with on-premises Active Directory should extend their directory to Azure AD using Azure AD Connect and configure the appropriate authentication method. [Choosing the correct authentication method](https://docs.microsoft.com/azure/security/azure-ad-choose-authn) for your organization is the first step in your journey of moving apps to the cloud. It's a critical component since it controls access to all cloud data and resources.
109
+
Organizations with on-premises Active Directory should extend their directory to Azure AD using Azure AD Connect and configure the appropriate authentication method. [Choosing the correct authentication method](https://docs.microsoft.com/azure/security/fundamentals/choose-ad-authn) for your organization is the first step in your journey of moving apps to the cloud. It's a critical component since it controls access to all cloud data and resources.
110
110
111
111
The simplest and recommended method for enabling cloud authentication for on-premises directory objects in Azure AD is to enable [Password Hash Synchronization](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization) (PHS). Alternatively, some organizations may consider enabling [Pass-through Authentication](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-pta-quick-start) (PTA).
Copy file name to clipboardExpand all lines: articles/active-directory/hybrid/how-to-connect-pta-faq.md
+1-1
Original file line number
Diff line number
Diff line change
@@ -24,7 +24,7 @@ This article addresses frequently asked questions about Azure Active Directory (
24
24
25
25
## Which of the methods to sign in to Azure AD, Pass-through Authentication, password hash synchronization, and Active Directory Federation Services (AD FS), should I choose?
26
26
27
-
Review [this guide](https://docs.microsoft.com/azure/security/azure-ad-choose-authn) for a comparison of the various Azure AD sign-in methods and how to choose the right sign-in method for your organization.
27
+
Review [this guide](https://docs.microsoft.com/azure/security/fundamentals/choose-ad-authn) for a comparison of the various Azure AD sign-in methods and how to choose the right sign-in method for your organization.
This feature is an alternative to [Azure AD Password Hash Synchronization](how-to-connect-password-hash-synchronization.md), which provides the same benefit of cloud authentication to organizations. However, certain organizations wanting to enforce their on-premises Active Directory security and password policies, can choose to use Pass-through Authentication instead. Review [this guide](https://docs.microsoft.com/azure/security/azure-ad-choose-authn) for a comparison of the various Azure AD sign-in methods and how to choose the right sign-in method for your organization.
29
+
This feature is an alternative to [Azure AD Password Hash Synchronization](how-to-connect-password-hash-synchronization.md), which provides the same benefit of cloud authentication to organizations. However, certain organizations wanting to enforce their on-premises Active Directory security and password policies, can choose to use Pass-through Authentication instead. Review [this guide](https://docs.microsoft.com/azure/security/fundamentals/choose-ad-authn) for a comparison of the various Azure AD sign-in methods and how to choose the right sign-in method for your organization.
30
30
31
31
Copy file name to clipboardExpand all lines: articles/active-directory/hybrid/whatis-hybrid-identity.md
+1-1
Original file line number
Diff line number
Diff line change
@@ -30,7 +30,7 @@ To achieve hybrid identity with Azure AD, one of three authentication methods ca
30
30
31
31
These authentication methods also provide [single-sign on](how-to-connect-sso.md) capabilities. Single-sign on automatically signs your users in when they are on their corporate devices, connected to your corporate network.
32
32
33
-
For additional information, see [Choose the right authentication method for your Azure Active Directory hybrid identity solution](https://docs.microsoft.com/azure/security/azure-ad-choose-authn).
33
+
For additional information, see [Choose the right authentication method for your Azure Active Directory hybrid identity solution](https://docs.microsoft.com/azure/security/fundamentals/choose-ad-authn).
Copy file name to clipboardExpand all lines: articles/active-directory/manage-apps/plan-sso-deployment.md
+1-1
Original file line number
Diff line number
Diff line change
@@ -91,7 +91,7 @@ From the sign-in perspective, applications with shared accounts aren't different
91
91
92
92
Choosing the correct authentication method is a crucial first decision in setting up an Azure AD hybrid identity solution. Implement the authentication method that is configured by using Azure AD Connect, which also provisions users in the cloud.
93
93
94
-
To choose an authentication method, you need to consider the time, existing infrastructure, complexity, and cost of implementing your choice. These factors are different for every organization and might change over time. You should choose the one that most closely matches your specific scenario. For more information, see [Choose the right authentication method for your Azure Active Directory hybrid identity solution](https://docs.microsoft.com/azure/security/azure-ad-choose-authn).
94
+
To choose an authentication method, you need to consider the time, existing infrastructure, complexity, and cost of implementing your choice. These factors are different for every organization and might change over time. You should choose the one that most closely matches your specific scenario. For more information, see [Choose the right authentication method for your Azure Active Directory hybrid identity solution](https://docs.microsoft.com/azure/security/fundamentals/choose-ad-authn).
0 commit comments