This time let’s try out SSPR with the new MFA combined registration in a hybrid environment.
Before passwords can be changed on our local AD, Azure AD Connect must be configured with password writeback.
Self-Service Password Reset/Change/Unlock with on-premises writeback is a premium feature of Azure AD, so license is required, it could be Azure AD Premium P1/P2, Enterprise Mobility + Security or Microsoft 365.
So here we go, let’s configure Azure Active Directory Connect.
Select Customize synchronization options:
Enter your Global administrator credentials:
Go to Optional Features and enable Password writeback as shown:
Continue to Configure and select Configure:
Finally select Exit:
Now start Azure AD Connect again, select configure and View current configuration:
Note the account used:
We need to make sure that the account specified has the following rights set on the users we want to offer SSPR (in Active Directory):
- Reset password
- Change password
- Write permissions on
lockoutTime - Write permissions on
pwdLastSet
For the test I have created a user in the local Active Directory called PWDRESET and a group called PWDRESETGRP with the PWDRESET user as a member, and made sure that they are synchronized to Azure AD.
Go to the Azure portal select Azure Active Directory and Password reset:
On Properties we enable Password reset for selected users and use the group created in the local AD PWDRESETGRP and then save the change:
On Authentication methods we will require 2 methods to reset a password and enable Mobile app notification, mobile app code, email and Mobile phone:
On Registration we will require new users to register their information at the first login and since this is test we do not want users to reconfirm authentication information, this can be done by using the value of zero as shown:
On Notifications we will notify users by mail when a password is reset:
On On-Premises integration, we make sure that write back is on and for this test we allow users to unlock accounts without resetting the password, at the same time we need a green checkmark indicating that our Azure AD connect is configured as expected.
The next step is to enable the new preview feature for registration of the users security information.
Select Azure Active Directory and User Settings.
Select Manage settings for access panel preview features.
And then we enable the preview feature for registering and managing security info – enhanced again only for our test group.
Next step is to login to Office 365 with the new user for the first time.
Enter the password for the user and sign in.
Since this is the first sign in we are required to enter more security information’s.
We can now switch to the phone and install the authenticator app.
Install and open the Microsoft Authenticator app on the phone (I will use an android device).
Add a new Account.
Select Work or school account.
And then go back to the browser and select Next.
We already did this so just click Next.
Now switch to the phone and scan the QR code.
Authenticator app on the phone.
Select Finish in the app
And now our new user is available in the app.
Switch back to the browser and click Next.
A notification will now be send to the app.
Approve the request on the phone.
Status will then change in the browser to Notification approved and you can click Next.
Enter the phone number you will use (I will select a text message) and then Next.
You will receive a code in a text message on the phone.
Enter this code and select Next.
And we are all set, click Done.
Next step is to try it out, by going to the address https://aka.ms/sspr
Enter the user mail address and the characters shown and click Next.
Select I forgot my password and Next.
Let’s try Approve a notification on my authenticator app and click Send Notification.
Approve the request on the Phone.
Since we chose that 2 methods was required to reset password, let’s select Text my mobile phone as number 2.
Enter the same phone number we registered and click Next.
You will get a code in a text message.
Enter the received code.
Now the user is verified enter the new password and confirm. The password must comply with company requirements.
And the password has now been reset.
Now test it in your own environment
