Microsoft Entra Password Protection & Kerberos: A Complete SC-300 Exam Guide
Why Is This Topic Important?
Microsoft Entra Password Protection and Kerberos are fundamental components of identity security in hybrid environments. The SC-300 (Microsoft Identity and Access Administrator) exam tests your ability to implement and manage authentication mechanisms that protect organizations from password-based attacks and ensure seamless, secure authentication. Understanding how Entra Password Protection works alongside Kerberos authentication is critical because:
- Weak and banned passwords remain one of the top attack vectors in enterprise environments.
- Kerberos is the default authentication protocol in Active Directory environments, and understanding its integration with cloud-based protections is essential for hybrid identity scenarios.
- Microsoft expects SC-300 candidates to know how to deploy, configure, and troubleshoot these technologies in real-world scenarios.
What Is Microsoft Entra Password Protection?
Microsoft Entra Password Protection is a feature that helps eliminate weak passwords across your organization. It works by enforcing a global banned password list maintained by Microsoft and an optional custom banned password list that administrators can configure to include organization-specific terms.
Key Components:
1. Global Banned Password List: Microsoft maintains and continuously updates this list based on real-world password spray attack telemetry. It automatically blocks commonly used weak passwords and their variants. This list is applied automatically to all Microsoft Entra tenants and cannot be disabled.
2. Custom Banned Password List: Administrators can add up to 1,000 entries to a custom list. These entries typically include company names, product names, locations, internal acronyms, and other organization-specific terms that users might predictably use in passwords.
3. Smart Lockout: Works alongside password protection to lock out attackers while allowing legitimate users to continue accessing their accounts. It uses cloud intelligence to differentiate between genuine users and attackers.
4. Password Protection for On-Premises Active Directory: Extends the cloud-based banned password lists to on-premises AD DS environments through a proxy service and DC agent architecture.
What Is Kerberos in the Context of Microsoft Entra?
Kerberos is a ticket-based authentication protocol used extensively in Windows Active Directory environments. In the context of Microsoft Entra and hybrid identity, Kerberos plays several important roles:
1. On-Premises Authentication: Kerberos remains the primary protocol for authenticating users against on-premises Active Directory Domain Controllers.
2. Microsoft Entra Kerberos: This is a feature that enables cloud-based Kerberos ticket granting, allowing scenarios like passwordless security key sign-in to on-premises resources and Windows Hello for Business cloud trust deployments.
3. Kerberos Constrained Delegation (KCD): Used with Microsoft Entra Application Proxy to enable single sign-on (SSO) to on-premises applications that use Kerberos authentication.
How Does Microsoft Entra Password Protection Work?
In the Cloud (Entra ID):
- When a user changes or resets their password in Microsoft Entra ID, the new password is evaluated against both the global and custom banned password lists.
- The password evaluation uses a normalized matching algorithm that checks for substitutions (e.g., replacing 'a' with '@', 'o' with '0') and fuzzy matching to catch variants of banned terms.
- A password receives a score based on the number of banned terms and patterns detected. If the score falls below the threshold, the password is rejected.
On-Premises (Hybrid Deployment):
The on-premises deployment involves two key components:
1. Microsoft Entra Password Protection Proxy Service:
- Installed on one or more domain-joined Windows Servers (does not need to be on a Domain Controller).
- Acts as a communication bridge between on-premises DC agents and Microsoft Entra ID.
- Forwards requests from DC agents to Entra ID and relays password policies (banned password lists) back to the agents.
- Requires outbound internet connectivity to Microsoft Entra ID.
- At least one proxy is required, and two are recommended for high availability.
2. Microsoft Entra Password Protection DC Agent:
- Installed on every domain controller where password protection is desired.
- Intercepts password change and reset operations via the password filter DLL mechanism in AD DS.
- Evaluates proposed passwords against the downloaded banned password policy.
- Requires a reboot of the domain controller after installation.
- Communicates with the proxy service over RPC over TCP (dynamic RPC ports).
Password Evaluation Process On-Premises:
Step 1: The DC agent periodically requests updated password policies from the proxy service.
Step 2: The proxy service retrieves the latest global and custom banned password lists from Microsoft Entra ID.
Step 3: The policy is cached locally on each DC agent (policies are cached and refreshed approximately every hour).
Step 4: When a user attempts to change their password, the DC agent's password filter evaluates the new password against the cached policy.
Step 5: If the password is deemed weak or banned, it is rejected, and the user receives an error message.
Deployment Modes:
- Audit Mode: Passwords that would be rejected are allowed, but events are logged. This is the default mode and is recommended as an initial deployment step to assess the impact before enforcement.
- Enforced Mode: Passwords that violate the policy are actively rejected.
How Does Kerberos Work with Microsoft Entra?
Traditional Kerberos Flow:
1. User authenticates to a Domain Controller (DC) and receives a Ticket Granting Ticket (TGT).
2. When accessing a resource, the user presents the TGT to the DC and requests a Service Ticket.
3. The service ticket is presented to the resource server for access.
Microsoft Entra Kerberos:
- Microsoft Entra Kerberos creates an Entra ID Kerberos Server object in on-premises Active Directory.
- This object allows Microsoft Entra ID to issue Kerberos TGTs that on-premises AD can trust.
- This is essential for:
• FIDO2 security key sign-in to on-premises resources
• Windows Hello for Business cloud Kerberos trust
• Enabling SSO to on-premises resources from Entra-joined devices
- The Entra Kerberos Server object's encryption key (krbtgt key) is rotated regularly (similar to the standard krbtgt account), and administrators should rotate it at least every 30 days using the Set-AzureADKerberosServer PowerShell cmdlet.
Kerberos Constrained Delegation (KCD) with Entra Application Proxy:
- Microsoft Entra Application Proxy connectors can perform KCD to obtain Kerberos service tickets on behalf of users.
- This enables SSO to on-premises web applications that use Integrated Windows Authentication (IWA).
- The Application Proxy connector's computer account must be granted delegation rights in AD to the target service's Service Principal Name (SPN).
Key Considerations and Requirements:
- Licensing: Microsoft Entra Password Protection for cloud users is included with Microsoft Entra ID Free and above. On-premises password protection requires Microsoft Entra ID P1 or P2 licenses.
- Forest Functional Level: On-premises password protection requires Windows Server 2012 or later domain controllers, with the domain running at Windows Server 2003 forest functional level or higher.
- SYSVOL Replication: The password policy is distributed to all DCs via SYSVOL replication (using either FRS or DFSR).
- No dependency on specific DC: The DC agent evaluates passwords locally using its cached policy, so it continues to function even if the proxy service is temporarily unavailable (using the last cached policy).
- Password Protection does NOT change password length or complexity requirements: It works alongside existing AD password policies, not as a replacement.
Exam Tips: Answering Questions on Microsoft Entra Password Protection and Kerberos
1. Know the architecture: The SC-300 exam frequently tests whether you understand that the DC Agent goes on every domain controller and the Proxy Service goes on a member server (not the DC). Remember that a DC reboot is required after agent installation.
2. Understand deployment modes: Remember that Audit mode is the default. If a question asks about initial deployment or impact assessment, Audit mode is the correct answer. Enforced mode actively blocks weak passwords.
3. Licensing matters: Cloud password protection is free for all tenants. On-premises protection requires Entra ID P1 or P2. If a question mentions budget constraints or licensing tiers, pay close attention.
4. Custom banned password list limits: Remember the 1,000-entry limit for custom banned password lists. Each entry is between 4 and 16 characters. Entries are case-insensitive.
5. Global banned password list cannot be disabled: This is a common trick question. The global list is always active for cloud authentication. You can only enable or disable the custom list and the on-premises protection.
6. Kerberos Server Object rotation: If asked about maintaining Microsoft Entra Kerberos, remember that the krbtgt key should be rotated at least every 30 days. The cmdlet used is Set-AzureADKerberosServer (or the newer Microsoft Graph PowerShell equivalent).
7. KCD for Application Proxy: When a question involves SSO to on-premises Kerberos-authenticated apps, think Application Proxy with Kerberos Constrained Delegation. The connector must have delegation rights to the target SPN.
8. Distinguish between Kerberos scenarios: Know the difference between traditional KCD (for Application Proxy SSO), Microsoft Entra Kerberos (for FIDO2/WHfB cloud trust), and standard on-premises Kerberos. The exam may present scenarios where you need to select the correct technology.
9. Password evaluation algorithm: Understand that password evaluation uses normalization and fuzzy matching. A banned term of 'password' would also catch 'P@ssw0rd', 'p@$$word', etc. The algorithm assigns a score, and passwords need a minimum score to be accepted.
10. High availability: For proxy services, Microsoft recommends at least two proxy servers for redundancy. DC agents continue to work with cached policies if proxies become unavailable.
11. Network requirements: The proxy service needs outbound HTTPS (443) to Microsoft Entra ID. DC agents communicate with proxies via RPC over TCP. No inbound internet connectivity is required.
12. Watch for distractor answers: The exam may include options like installing the proxy on a domain controller, disabling the global banned password list, or requiring Entra ID P2 specifically for cloud password protection. These are all incorrect.
13. Scenario-based questions: When presented with a hybrid environment scenario, determine whether the question is about cloud-only password protection (no on-premises components needed) or hybrid protection (requires proxy + DC agent). Read the scenario carefully to identify which components are already in place and what is missing.
14. Event Logging: Password protection events are logged in the Application and Services Logs > Microsoft > AzureADPasswordProtection event log on domain controllers. If a troubleshooting question appears, knowing where to check logs is valuable.
By mastering these concepts, you will be well-prepared to answer any SC-300 exam question related to Microsoft Entra Password Protection and Kerberos authentication. Focus on understanding the architecture, deployment requirements, and real-world application of these technologies rather than just memorizing facts.
