It has
always been a time-consuming struggle to reset passwords for users in Active
Directory. It is possible to add a third-party password reset product to your
Active Directory like the self-service password reset tool from FastPassCorp,
but it adds additional costs and an additional administration layer to the
enterprise.
In Azure
you can use the integrated self-service password reset (SSPR) functionality to
provide password reset to both cloud-only and synchronized AD users. If your
users are synchronized from Active Directory, you need to enable Password
Write-Back in AD Connect, and the Azure AD users need a Azure AD Premium license.
The process
of enabling SSPR a pretty straight-forward and in the next it I will
demonstrate and describe the process in the Azure portal.
1. From the Azure portal navigate to the Azure Active Directory blade.
2. With-in
the directory you will enable SSPR, select Password
reset.
3. In the Properties blade you can enable SSPR,
and you need to decide whether it is for all users, or for selected groups. It
might be a good idea to test the SSPR functionality on a group of selected
users before enabling it to a broader group of users. Make your preferred selection
and click Save.
5. You can choose predefined questions or you can write your own question in your preferred language.
6. If you
choose to make custom question, be aware that you must provide a variety of
subjects so that all users can choose relevant questions. Add the predefined
and custom questions that you find useful.
7. In the Registration blade you can enforce that
users register for SSPR the next time they sign-in. You also need to make a
decision about the interval of re-confirming their authentication informations.
8. In the Notifications blade you can enable
notifications to users email when their password has been reset with SSPR. You
can also enable notifications to all global administrators, when other
administrators reset their password with SSPR.
9. In the Customization blade you can provide the
users a link to the helpdesk either via an email og URL.
10.
In the On-premises integration blade
you can enable write back of password for users synchronized from an on-premise
Active Directory. In this example the configuration is greyed-out because
Password writeback hasn’t been enabled in the AD Connect. You can enable the
Password writeback option in the AD Connect wizard in the Optional features as
shown bellow.
11. When
SSPR is enabled and users login the next time with their Azure AD account, they
will be prompted to configure their settings according to the choices you made
in the SSPR configuration.
12. The
users need to set up the authentication methods you chose in the SSPR
configuration. In this example I choose that they need to configure at least 1
option (I could have selected 2). In this example the user will provide answers
to the security questions I chose in the SSPR configuration.
13. From
the drop-down choose the questions you feel like and provide answers you think
you can remember in the future.
14. When
the user has forgot his password or just need to change it, he can start the password
reset process from the login window by select the Forgot my password.
15. The
user needs to prove that he is not a robot.
16. The
user needs to answer the number of questions you decided in the SSPR
configuration.
17. If the
user provides correct answers he will get the option to change the password.
18. And
Voila – all is good.
