Search This Blog

Monday, March 11, 2019

Azure Active Directory (Azure AD) self-service password reset (SSPR)

This time let’s try out SSPR with the new MFA combined registration in a hybrid environment.

Before passwords can be changed on our local AD, Azure AD Connect must be configured with password writeback.

Self-Service Password Reset/Change/Unlock with on-premises writeback is a premium feature of Azure AD, so license is required, it could be Azure AD Premium P1/P2, Enterprise Mobility + Security or Microsoft 365.

So here we go, let’s configure Azure Active Directory Connect.

image

image

Select Customize synchronization options:

image

Enter your Global administrator credentials:

image

Go to Optional Features and enable Password writeback as shown:

image

Continue to Configure and select Configure:

image

Finally select Exit:

image

Now start Azure AD Connect again, select configure and View current configuration:

image

image

image

Note the account used:

image

We need to make sure that the account specified has the following rights set on the users we want to offer SSPR (in Active Directory):

  • Reset password
  • Change password
  • Write permissions on lockoutTime
  • Write permissions on pwdLastSet

image

image

image

For the test I have created a user in the local Active Directory called PWDRESET and a group called PWDRESETGRP with the PWDRESET user as a member, and made sure that they are synchronized to Azure AD.

image

Go to the Azure portal select Azure Active Directory and Password reset:

image

On Properties we enable Password reset for selected users and use the group created in the local AD PWDRESETGRP and then save the change:

image

On Authentication methods we will require 2 methods to reset a password and enable Mobile app notification, mobile app code, email and Mobile phone:

image

On Registration we will require new users to register their information at the first login and since this is test we do not want users to reconfirm authentication information, this can be done by using the value of zero as shown:

image

On Notifications we will notify users by mail when a password is reset:

image

On On-Premises integration, we make sure that write back is on and for this test we allow users to unlock accounts without resetting the password, at the same time we need a green checkmark indicating that our Azure AD connect is configured as expected.

image

The next step is to enable the new preview feature for registration of  the users security information.

Select Azure Active Directory and User Settings.

image

Select Manage settings for access panel preview features.

image

And then we enable the preview feature for registering  and managing security info – enhanced again only for our test group.

image

Next step is to login to Office 365 with the new user for the first time.

image

Enter the password for the user and sign in.

image

Since this is the first sign in we are required to enter more security information's.

image

We can now switch to the phone and install the authenticator app.

image

Install and open the Microsoft Authenticator app on the phone (I will use an android device).

image

Add a new Account.

image

Select Work or school account.

image

And then go back to the browser and select Next.

image

We already did this so just click Next.

image

Now switch to the phone and scan the QR code.

image

Authenticator app on the phone.

image

Select Finish in the app

image

And now our new user is available in the app.

image

Switch back to the browser and click Next.

image

A notification will now be send to the app.

image

Approve the request on the phone.

image

Status will then change in the browser to Notification approved and you can click Next.

image

Enter the phone number you will use (I will select a text message) and then Next.

image

You will receive a code in a text message on the phone.

image

Enter this code and select Next.

image

And we are all set, click Done.

image

Next step is to try it out, by going to the address https://aka.ms/sspr

Enter the user mail address and the characters shown and click Next.

image

Select I forgot my password and Next.

image

Let’s try Approve a notification on my authenticator app and click Send Notification.

image

Approve the request on the Phone.

image

Since we chose that 2 methods was required to reset password, let’s select Text my mobile phone as number 2. 

Enter the same phone number we registered and click Next.

image

You will get a code in a text message.

image

Enter the received code.

image

Now the user is verified enter the new password and confirm. The password must comply with company requirements.

image

And the password has now been reset.

image

Now test it in your own environment

No comments:

Post a Comment