Attacks against Active Directory have been steadily increasing in the last few years. This is because Active Directory holds all domain joined user and machine credentials and permissions, making it a prime target for attackers. Interestingly, a lot of these attacks start by initially compromising an account. In a lot of cases this account doesn’t have a lot of permissions (such as a standard user account), but does allow for thorough enumeration of the AD environment to find misconfigurations and elevate privileges. This brings me to the importance of managing passwords in an Active Directory/ Azure Active Directory environment. AD Passwords are used with computer accounts, user accounts, trusts, service accounts, and more. Microsoft has provided both guidance and technical capability to natively protect these passwords in various ways to shrink the attack surface of the environment. We will review the various situations where account credentials are commonly compromised, the native Microsoft solutions to mitigate the compromise, and when it is appropriate to use which mitigation.