Entra Password Protection Proxy Migration
I recently had to perform a migration of my existing Microsoft Entra password protection proxy to a new server but was unable to find the steps in the Microsoft documentation or other sources online. It turns out the process was painless and took almost no time.
What is Entra Password Protection?
Entra password protection is designed to block weak passwords. The proxy service extends this capability to on-premise Active Directory environments. The on-premise service consists of an agent on the domain controllers and a proxy server that checks the passwords against the Entra Password Protection cloud service. For more information about the interworkings check out the Microsoft documentation here.
Setup the new proxy service
When performing a migration the first step is to setup your proxy service. Follow the standard Microsoft documentation for setting up a proxy. Since you already have the proxy running you don’t need to register the forest so skip that step.
Removing the old proxy service
It took me a while to find the documentation to delete the old proxy. It turns out that process is pretty easy as well.
Find the service connection
Run the following PowerShell to find all of the service connections registered in your AD environment.
$scp = "serviceConnectionPoint"
$keywords = "{ebefb703-6113-413d-9167-9f8dd4d24468}*"
Get-ADObject -SearchScope Subtree -Filter { objectClass -eq $scp -and keywords -like $keywords } | fl
You should see two or more service connections. Find the old service connection and remove it using Remove-ADObject
.
Monitor the service
Follow the documentation for monitoring the service to ensure communication between the agent and proxy is working.
Comments