Entra Password Protection Proxy Migration

Entra ID Password Protection Flow
Password protection proxy communication flow. Microsoft

I recently had to perform a migration of my existing Microsoft Entra password protection proxy to a new server but was unable to find the steps in the Microsoft documentation or other sources online. It turns out the process was painless and took almost no time.

What is Entra Password Protection?

Entra password protection is designed to block weak passwords. The proxy service extends this capability to on-premise Active Directory environments. The on-premise service consists of an agent on the domain controllers and a proxy server that checks the passwords against the Entra Password Protection cloud service. For more information about the interworkings check out the Microsoft documentation here.

Setup the new proxy service

When performing a migration the first step is to setup your proxy service. Follow the standard Microsoft documentation for setting up a proxy. Since you already have the proxy running you don’t need to register the forest so skip that step.

Removing the old proxy service

It took me a while to find the documentation to delete the old proxy. It turns out that process is pretty easy as well.

Find the service connection

Run the following PowerShell to find all of the service connections registered in your AD environment.

$scp = "serviceConnectionPoint"
$keywords = "{ebefb703-6113-413d-9167-9f8dd4d24468}*"
Get-ADObject -SearchScope Subtree -Filter { objectClass -eq $scp -and keywords -like $keywords } | fl

You should see two or more service connections. Find the old service connection and remove it using Remove-ADObject.

Monitor the service

Follow the documentation for monitoring the service to ensure communication between the agent and proxy is working.

Comments