Search This Blog

Monday, March 25, 2019

Azure AD Password Reset on login screen

In one of the last posts we enabled SSPR in our hybrid environment.

https://blog.mindcore.dk/2019/03/azure-active-directory-azure-ad-self.html

This time let’s enable password reset on the Windows 10 clients login screen.

Before we start we need to be aware of the following:

  • Supported on Windows 10, version April 2018 Update (1803).
  • Device must be Azure AD-joined or Hybrid Azure AD-joined.
  • Azure AD self-service password reset must be setup and configured.
  • If proxy is used you must add passwordreset.microsoftonline.com and ajax.aspnetcdn.com to your HTTPS traffic (port 443) Allowed URLs list.
  • Not supported on a Remote Desktop (see info on Hyper-V later).
  • There are know issues if Ctrl+Alt+Del is required at logon (before 1809).
  • If lock screen notifications are turned off, SSRP will not work.

Essentially what we need on the client is just a registry key set:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AzureADAccount\AllowPasswordReset=dword:00000001

This can of course be done in multiple ways like Intune and SCCM, but for this test let’s use old school  Group Policy Preferences.


The result must in all situations be that the client has this value set:

With the value set in registry the user will see a Reset password button.

When a user clicks on the Reset password button the following dialog will be shown.

We will use the same user as we created in the first post.

Enter the mail address of the user.

Here I have selected Text my mobile phone as the first verification method and entered my phone number.

A code is then received in a text message.

Code is then entered on Windows 10.

I have then selected Email my alternate email as the second contact method and entered that email address.

For the time being I cannot select the authenticator app as we used in the first post!


A code is then received in a mail.

Code from mail is then entered.

Now that we are verified enter the new password and confirm. The password must comply with company requirements.

Password is now reset.

And we are able to login to Windows with the new password.

As stated Remote Desktop is not supported and when testing on Hyper-V in an Enhanced session you will not see the Reset password button, turn off the Enhanced session as shown.

And the Reset password is back.

You can see information about the password reset progress in the Azure AD audit log.

No comments:

Post a Comment