Merge pull request #208807 from Justinha/issue-95991

prmerger-automator[bot] · web-flow · commit d55f73885af8 · 2022-08-23T06:38:46.000Z
edits
diff --git a/articles/active-directory/authentication/concept-password-ban-bad-on-premises.md b/articles/active-directory/authentication/concept-password-ban-bad-on-premises.md
@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 07/17/2020
+ms.date: 08/22/2022
 
 ms.author: justinha
 author: justinha
@@ -26,7 +26,7 @@ Azure AD Password Protection is designed with the following principles in mind:
 * Domain controllers (DCs) never have to communicate directly with the internet.
 * No new network ports are opened on DCs.
 * No AD DS schema changes are required. The software uses the existing AD DS *container* and *serviceConnectionPoint* schema objects.
-* No minimum AD DS domain or forest functional level (DFL/FFL) is required.
+* Any supported AD DS domain or forest functional level can be used.
 * The software doesn't create or require accounts in the AD DS domains that it protects.
 * User clear-text passwords never leave the domain controller, either during password validation operations or at any other time.
 * The software isn't dependent on other Azure AD features. For example, Azure AD password hash sync (PHS) isn't related or required for Azure AD Password Protection.
diff --git a/articles/active-directory/authentication/howto-password-ban-bad-on-premises-deploy.md b/articles/active-directory/authentication/howto-password-ban-bad-on-premises-deploy.md
@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 08/17/2022
+ms.date: 08/22/2022
 
 ms.author: justinha
 author: justinha
@@ -100,8 +100,8 @@ The following core requirements apply:
 
 The following requirements apply to the Azure AD Password Protection DC agent:
 
-* All machines where the Azure AD Password Protection DC agent software will be installed must run Windows Server 2012 or later, including Windows Server Core editions.
-    * The Active Directory domain or forest doesn't need to be at Windows Server 2012 domain functional level (DFL) or forest functional level (FFL). As mentioned in [Design Principles](concept-password-ban-bad-on-premises.md#design-principles), there's no minimum DFL or FFL required for either the DC agent or proxy software to run.
+* Machines where the Azure AD Password Protection DC agent software will be installed can run any supported version of Windows Server, including Windows Server Core editions.
+    * The Active Directory domain or forest can be any supported functional level. 
 * All machines where the Azure AD Password Protection DC agent will be installed must have .NET 4.7.2 installed.
     * If .NET 4.7.2 is not already installed, download and run the installer found at [The .NET Framework 4.7.2 offline installer for Windows](https://support.microsoft.com/topic/microsoft-net-framework-4-7-2-offline-installer-for-windows-05a72734-2127-a15d-50cf-daf56d5faec2).
 * Any Active Directory domain that runs the Azure AD Password Protection DC agent service must use Distributed File System Replication (DFSR) for sysvol replication.
