This post is part of the overall MS-500 Exam Study Guide. Links to each topic as they are posted can be found here.
Implementing Password Management in Microsoft 365 is quite a generic exam topic, there are a number of tools available to us which contribute to password management in our tenancy. In this post we will discuss the tools below:
- Azure AD Password Protection
- Self-Service Password Reset
- ADFS Password Update
Some aspects we’ve looked at already:
Azure AD Password Protection
Azure AD Password Protection allows us to detect and prevent the use of weak or bad passwords in our tenancy. There are two aspects to password protection to be aware of, Global Banned Password list and Custom password protection policy. Global banned password lists leverage Microsoft’s own database of bad passwords which is curated using the variety of large-scale telemetry data available to the Azure AD teams. For security reasons this list is not published but benefits from the information gathered by Microsoft.
The other aspect, is the custom policy. The Custom Password Protection policy allows us to specify our lockout thresholds for bad authentication requests, configure our own custom banned password list and extend the protection to on-premises AD – more on this in the next section.
Extend Password Protection to On-Premises Active Directory
The password protection functionality available to us in Azure AD is great for Cloud-Based identities, but when we integrate our directory using Azure AD Connect, it becomes irrelevant for our synchronized users as they reset their password via our on-premises Active Directory. To solve this, we can extend our password protection to our on-premises directory by using the Password Policy Proxy Service.
The Password Protection Proxy Service requires two servers (for high availability) on-premises which will download the password policy data. This data is then queried by the Domain Controllers on our local network by the Password Protection Policy DC Agent
In the above diagram, we can see that our Service should be installed on member servers (not Domain Controllers) and the DCs will use the installed agent to look up the policy details when a password reset is requested.
There are detailed instructions for the installation and configuration of the Policy Service in the Microsoft Documentation which I recommend reading but here are some high-level points we should know for the exam:
- The service installation requires Windows Server 2012R2
- Domain Controllers do not require internet access, the member servers with the service installed will manage communication with AAD
- Password validations are written to the event log of the Domain Controller (Applications and Services Logs\Microsoft\AzureADPasswordProtection\DCAgent\Admin)
- Enabling Password Protection in Audit mode first is recommended to ensure there won’t be impact
Self-Service Password Reset
With our password synchronization in place we enable our users to use familiar credentials to log into our cloud service. We can extend this functionality even more by enabling Self-Service Password Reset, allowing our users to securely reset their passwords for Azure AD from anywhere and write this password back to our on-premises directory.
Self-Service Password Reset (SSPR) takes advantage of the Password Writeback feature of AD Connect to synchronize passwords from Azure AD back to our on-premises directory. Note: Password Writeback must be enabled in AD Connect for SSPR to function in a synchronized environment.
SSPR can be enabled from the Azure AD Portal under the Password Reset option. We can enable for all or selected users based on group membership:
To authenticate our users during a password reset, we can configure the number of methods that our users will need to use to reset their password. We can also specify which methods are available to them.
To ensure our users are configured for SSPR, we can configure the registration options, this will prompt our users to fill out the required SSPR details at login. We can also ask them to confirm this information after a certain period to ensure it’s up to date.
We can configure notifications when a password is successfully reset to both users and admins.
We can provide a custom helpdesk URL for our users in case they run into problems.
We can then configure our Password Writeback option which we enabled in AD Connect and decide if we can let users unlock a locked account without resetting their password.
We can also easily access a filtered log view showing password reset activity in our tenant.
SSPR is a fantastic tool and helps lower the volume of password reset requests our helpdesk gets. As a massive amount of users are working remotely now, we can securely make password resets available to them while they are not connected to our network.
ADFS Password Update
If we have a federated environment using ADFS, we can enable password update through our ADFS environment by enabling the “/adfs/portal/updatepassword” endpoint. This will provide our users with a method of updating their password (as long as they know it) remotely also. We can do some branding on the page just like any other ADFS page and will extend on-premises policies and expirations to our users.
As I mentioned above, Password Management is quite a generic term. With the above tools (and one’s we’ve covered previously) we should get a good view of the tools available to us. I recommend checking our the below links for more information on the services covered here: