Merge pull request #88941 from jay98014/bplfixes_20190918

PRMerger19 · web-flow · commit 7d53b9488436 · 2019-09-18T07:53:22.000-07:00
Add content around user-visible password rejection messages.
diff --git a/articles/active-directory/authentication/howto-password-ban-bad-on-premises-faq.md b/articles/active-directory/authentication/howto-password-ban-bad-on-premises-faq.md
@@ -134,6 +134,10 @@ No.
 
 Audit mode is only supported in the on-premises Active Directory environment. Azure AD is implicitly always in "enforce" mode when it evaluates passwords.
 
+**Q: My users see the traditional Windows error message when a password is rejected by Azure AD Password Protection. Is it possible to customize this error message so that users know what really happened?**
+
+No. The error message seen by users when a password is rejected by a domain controller is controlled by the client machine, not by the domain controller. This behavior happens whether a password is rejected by the default Active Directory password policies or by a password-filter-based solution such as Azure AD Password Protection.
+
 ## Additional content
 
 The following links are not part of the core Azure AD Password Protection documentation but may be a useful source of additional information on the feature.
diff --git a/articles/active-directory/authentication/howto-password-ban-bad-on-premises-operations.md b/articles/active-directory/authentication/howto-password-ban-bad-on-premises-operations.md
@@ -52,9 +52,12 @@ This message is only one example of several possible outcomes. The specific erro
 
 Affected end users may need to work with their IT staff to understand the new requirements and be more able to choose secure passwords.
 
+> [!NOTE]
+> Azure AD Password Protection has no control over the specific error message displayed by the client machine when a weak password is rejected.
+
 ## Enable Mode
 
-This setting should normally be left in its default enabled (Yes) state. Configuring this setting to disabled (No) will cause all deployed Azure AD Password Protection DC agents to go into a quiescent mode where all passwords are accepted as-is, and no validation activities will be executed whatsoever (for example, not even audit events will be emitted).
+This setting should be left in its default enabled (Yes) state. Configuring this setting to disabled (No) will cause all deployed Azure AD Password Protection DC agents to go into a quiescent mode where all passwords are accepted as-is, and no validation activities will be executed whatsoever (for example, not even audit events will be emitted).
 
 ## Next steps
 
