0

I'm currently researching how to set up a banned password list in Active Directory. I'm doing this in a hybrid environment. Unfortunately, right now we're only licensed for Azure AD Free, which is cloud only -- syncing the banned password list is only available for Premium P1 or P2; I don't have the budget for those.

I would like to implement whatever password protection that I can. What happens if I turn on cloud based AD password protection, but don't sync the banned password list? Does this cause horrible headaches with user experience, or is it simply less secure?

Barton Chittenden
  • 310
  • 2
  • 8

1 Answers1

1

The next article in the documentation you linked:

[Azure AD password protection] software is not dependent on other Azure AD features; for example Azure AD password hash sync is not related and is not required in order for Azure AD password protection to function.

The DC Agent service needs to pull policy for the filters to be in sync. Naturally, the documentation says it must be running on all writable domain controllers.

Test password change on a DC. Banned passwords will not be allowed. Successful changes will not be synced to Azure AD.

John Mahowald
  • 30,009
  • 1
  • 17
  • 32