Enzoic for Active Directory works wherever the password is being set or changed. When rejected, the user is notified via the standard Windows message that a password does not pass domain policies (e.g. “The value provided for the new password does not meet the length, complexity, or history requirements of the domain”). If the change request has come from a third-party service (e.g. IAM platform), that service receives the standard Windows notification and displays accordingly.