BPL proxies are not supported on RODCs.

Author: jay98014

articles/active-directory/authentication/howto-password-ban-bad-on-premises-deploy.md

@@ -102,6 +102,7 @@ There are two required installers for Azure AD password protection. They're avai
 1. Choose one or more servers to host the proxy service for password protection.
    * Each such service can only provide password policies for a single forest. The host machine must be joined to a domain in that forest. Root and child domains are both supported. You need network connectivity between at least one DC in each domain of the forest and the password protection machine.
    * You can run the proxy service on a domain controller for testing. But that domain controller then requires internet connectivity, which can be a security concern. We recommend this configuration for testing only.
+   * It is not supported to run the proxy service on a read-only domain controller.
    * We recommend at least two proxy servers for redundancy. See [High availability](howto-password-ban-bad-on-premises-deploy.md#high-availability).
 
 1. Install the  Azure AD Password Protection Proxy service using the `AzureADPasswordProtectionProxySetup.exe` software installer.