When working with the Azure AD Password Protection feature, you might want to take advantage of the event log management features on your Domain Controllers to make sure you get the right amount of events for password set and password failure audit events.

About Azure AD Password Protection

Azure AD Password Protection is an Azure AD feature that helps organizations eliminate weak and commonly used passwords by acting as a password filter that rejects frequently used and easily guessable passwords.

Azure AD Password Protection’s architecture consists of Domain Controller agents and a proxy component. The proxy component interacts with Azure AD to fetch the latest list of Top 1000 most leaked passwords (comparable to this list) and any words that are additionally banned from passwords, as configured by an Azure AD admin.

Azure AD Password Protection Reporting

On Windows Server installations with the Azure AD Password Protection Proxy component, a Windows PowerShell cmdlet is available to report on the activity of connected Azure AD Password Protection agents on Domain Controllers:

Get-AzureADPasswordProtectionSummaryReport

This cmdlet fetches events from a special event log on the domain controllers, the Microsoft / Azure AD Password Protection / DC Agent / Admin log underneath Applications and Services logs. Events in this log provide information on the total number of password changes and password resets for the specific Domain Controller and how these actions triggered Azure AD Password Protection rules.

In this log, events with Event IDs in the 3000 range are logged by the Azure AD Password Protection agent on the Domain Controller. The specific Event IDs are documented by Microsoft.

Manage the retention of the log information

On Domain Controllers where a lot of password resets and/or password changes occur, the default log size might not be sufficient to store all relevant events for the time period in which people need to change their passwords.

The MaxSize registry value can be used to define the maximum size of the DC Agent / Admin event log. This way, the log size is increased to include more events before they are automatically overwritten. The value for the MaxSize REG_DWORD registry value configures the size in bytes in multiples of 64 KB.

As a drawback, you might end up with events in the summary report that are older than the timeframe for which you want to report.

Providing a larger maximum log size

To configure a maximum log size that is different than the 1028 KB default maximum size, run the following lines of Windows PowerShell in an elevated Windows PowerShell session:

$Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels"

New-ItemProperty -Path $Path"\Microsoft-AzureADPasswordProtection-DCAgent/Admin" `
-Name MaxSize -Value 0C000000 -PropertyType DWORD

The value 0C000000 in the above lines of PowerShell corresponds to 192 MB.

Concluding

To make meaningful decisions on the population of user accounts that need to change their passwords, ideally you want to have access to all the logs for the period in which people (need to) change their password, whether the maximum password age in the Active Directory domain is 42, 90, 180 or 365 days.

The MaxSize value for the DC Agent / Admin event log allows you to do just that.