Requirements for setting up self service password reset

Posted by

One of the important steps of modern workplace is try to achieve great user experience, one of them is the give the ability to users to do self-service password reset, which is one of the most common support issues that SCS have.

As part of Azure AD you have the ability to setup Self-Service Password Reset as long as you possess one of the following licenses:

  • Azure AD Premium P1
  • Azure AD Premium P2
  • Enterprise Mobility + Security E3 or A3
  • Enterprise Mobility + Security E5 or A5
  • Microsoft 365 E3 or A3
  • Microsoft 365 E5 or A5
  • Microsoft 365 F1
  • Microsoft 365 Business

In theory, you only need 1 premium license to activate the service, but take into account that this is something legal from Microsoft perspective, so my recommendation is to license all users that will use this feature.

Other questions that I heard from some customers, is because they are concerned about security with this feature, but I can assure you that this is quite safe. All the operations run trough Azure AD Connect and cannot be initiated directly.

Regarding, sync method, it doesn’t matter which type are you using it works with all of them. Continuing with necessary requirements, your OnPrem users must have populated the following attributes

  • Telephonenumber
  • OfficePhone
  • Mobile
  • mobile phone

And in case you have created an account for ADConnect with limited permissions (which is a best practice), this user will need the following additional permissions in AD:

  • Reset password
  • change password
  • Write permissions on lockoutTime
  • Write permissions on pwdLastSet

You will need to tweak some parameters in AzureAD as well regarding password writeback… So have a user with ability to set parameters in AzureAD

And finally, if you want to use this feature from Windows 10 login-screen, you will need the following enabled:

but for to do this, you will need to tweak some Registry parameters or using OMA-Uri policy in Intune…

That’s all for today!

All users in the local Active Directory should have the following attributes populated. This can either be sourced from attributes in Active Directory that are synced out or if users have already enabled MFA on the users in Azure AD.
If MFA is not enabled that ensure that users have the following attributes added.

telephoneNumber Office phone
mobile Mobile phone

And if you have created your Azure AD connect service account with limited access you need to ensure that the service account has the following access to your local Active Directory to ensure it can change passwords.

  • Reset password
  • Change password
  • Write permissions on lockoutTime
  • Write permissions on pwdLastSet

Once it is enabled you can see the feature will be reporting as available in the Azure AD Portal.
Here you can also define if users are allowed to reset their passwords without changing their passwords as well.

3

Under Properties you also define which user groups which are allowed to change their passwords.
You should only have a Azure AD Group enabled which contains users that are licensed to reset their passwords in case not all users have the correct licenses.

2

Also under registration you need to to define what kind of methods that need to be configured in order for the password reset option to be used for an end-users. If we have this enabled,

5

Password reset from Windows 10

This feature can also be used directly from Windows 10 login-screen. In order to have this feature enabled you need to have the following enabled.

This can be done either using OMA-URI with Intune or using Registry with Group Policy. The following OMA-URI settings needs to be configured in order to the option to be available for the end-users.

OMA-URI

  • OMA-URI set to ./Vendor/MSFT/Policy/Config/Authentication/AllowAadPasswordReset
  • Data type set to Integer
  • Value set to 1

Registry

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AzureADAccount
  • "AllowPasswordReset"=dword:00000001

After this has been configured you can see the following option appear from the login screen.
NOTE: This option will show regardless if the user has an assigned license or not or if the service has been configured.

6

It is important that this feature does not work for networks with 802.1x network authentication deployed and the option “Perform immediately before user logon”. For networks with 802.1x network authentication deployed it is recommended to use machine authentication to enable this feature.

If your Windows 10 machines are behind a proxy server or firewall, HTTPS traffic (443) to passwordreset.microsoftonline.com and ajax.aspnetcdn.com should be allowed.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s