We have a C# web app for new customer intake, at the end of which the user enters a password value we apply to their new Active Directory user object when we invoke the userPrincipal .NET method to create their user object. Our code also creates an account in our Azure AD tenant, with the correct values (ImmutableID) set for Azure AD Connect to import and join both accounts on its next pass (30 minutes AADC cycle wait time not acceptable for our requirements). We sync our password hashes from on-premise AD to Azure AD, and we have password complexity enabled in AD, and we enabled and added our own vocabulary to the Banned Words (substrings) facility in Azure AD. We are considering installing the MS "Password Protection" service on our DC's that will also apply Azure Banned Words checking when passwords are updated on-premise.
To keep this question short, we really would like to pre-validate the user entered passwords against all the password policies, including the banned words list (assume we install that service on all our on-prem DCs), but we can't find a method or service in .NET that will pre-validate that a proposed password passes all the active password policies. Our users tend to use Azure Self Service Password Reset, on-premise password changes later on are rare. But in the C# programming, it appears you have to actually request an Add of a new AD username to get .NET to evaluate the password value and signal status back, from the userPrincipal method in .NET
Anyone got any tricky ideas how to get a password pre-validated against AD password policies without the context of adding an actual new user, but assuming that the sAMAccountName that will be submitted does NOT yet exist in Active Directory? We thought about creating a temporary AD user with hash or base64 of a GUID for a unique temporary usernames, get any password evaluation feedback back from .NET, then delete the temporary user object, but that's a lot of overhead just to check a password, would trigger replications and generate beaucoup EventViewer and AD-AuditPlus log events, much junk network traffic. Thank you.