Preventing Immediate User Authentication to Azure AD with Azure AD Password Protection

Configuring Azure AD Password Protection

Prev Question Next Question

Question

Note: This question is part of a series of questions that present the same scenario.

Each question in the series contains a unique solution that might meet the stated goals.

Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it.

As a result, these questions will not appear in the review screen.

You have an Active Directory forest that syncs to an Azure Active Directory (Azure AD) tenant.

You discover that when a user account is disabled in Active Directory, the disabled user can still authenticate to Azure AD for up to 30 minutes.

You need to ensure that when a user account is disabled in Active Directory, the user account is immediately prevented from authenticating to Azure AD.

Solution: You configure Azure AD Password Protection.

Does this meet the goal?

Answers

A. Yes

B. No.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B.

No, configuring Azure AD Password Protection does not meet the goal of immediately preventing a disabled user account in Active Directory from authenticating to Azure AD.

Azure AD Password Protection is a feature that helps prevent weak passwords from being used in Azure AD by blocking commonly used passwords and custom-defined passwords that don't meet certain complexity requirements. It does not have any effect on user authentication when an account is disabled in Active Directory.

To achieve the desired result of preventing a disabled user account from authenticating to Azure AD immediately, you should configure Azure AD Connect to use the "Password writeback" feature. Password writeback is a feature that allows Azure AD to write password changes back to Active Directory. When this feature is enabled, if a user account is disabled in Active Directory, the password is immediately invalidated in Azure AD, preventing the user from authenticating to Azure AD.

To enable password writeback, you must have the Azure AD Premium P1 or P2 license, and follow these steps:

Open the Azure AD Connect wizard.
Select the "Configure" option and click "Next."
On the "Additional tasks" page, select the "Configure device options" option and click "Next."
On the "Password writeback" page, select the "Enable password writeback" option and click "Next."
Complete the wizard to enable password writeback.

Once this configuration is complete, a disabled user account in Active Directory will be immediately prevented from authenticating to Azure AD.

Prev Question Next Question