Microsoft has released Azure AD Password Protection as a way to enforce enhanced Password Policy. Currently we are utilizing this to check password against known compromised passwords (provided by Microsoft) and a custom banned password list. Microsoft has provided an agent that is run on every DC for this to work and collects logs regarding successful for failed attempts. I would like SEM to have these logs available to make it easier for the Security Team to find the logs instead of digging into each DC. Also, this would be helpful, because we could alert on passwords being changed to Known Compromised passwords.
I opened a case with Support: Case # - 00321136
Azure AD Password Protection stores the logs here: \Applications and Services Logs\Microsoft\AzureADPasswordProtection\DCAgent\Admin These events are the most helpful:
Fail (due to customer password policy)
Fail (due to Microsoft password policy)
Fail (due to combined Microsoft and customer password policies)
Audit-only Pass (would have failed customer password policy)
Audit-only Pass (would have failed Microsoft password policy)
Audit-only Pass (would have failed combined Microsoft and customer password policies)
Log Location is: C:\Windows\System32\winevt\Logs\Microsoft-AzureADPasswordProtection-DCAgent%4Admin.evtx
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community.
More than 150,000 members are here to solve problems, share technology and best practices, and directly
contribute to our product development process.