If you’re currently an Azure AD Premium or Enterprise Mobility Suite (EMS) customer, you may know that you have access to a GREAT cloud-based password reset tool from Microsoft. Recently, Microsoft has changed this experience and we’ll walk through the options, especially the new ability to unlock an account.
Please note that password writeback is available in releases of Azure AD Connect, or the Azure AD Sync tool with version number 1.0.0419.0911 or higher. Password writeback with automatic account unlock is available in releases of Azure AD Connect, or the Azure AD Sync tool with version number 1.0.0485.0222 or higher. If you are running an older version, please upgrade to at least this version before proceeding.
Once you are running the correct version, you’ll have to make sure the options are checked and enabled in the Azure AD portal per your requirements.
In this case we’re not restricting this to a specific group, we’re allowing all methods except for Security Questions, and they only have to provide one method of authentication.
NOTE: If your account is a member of a privileged group (ie Domain Admin), it will automatically require a 2nd factor of authentication. There is no way to disable this and the purpose is to provide the highest level of security for your sensitive accounts
Let’s go test the experience!
First, navigate to one of the following links:
I also recommend customers typically create a domain-friendly CNAME record such as passwordreset.yourdomain.com as well.
First we need to enter an account, to ensure that the user has the proper licensing and that SSPR is enabled.
Make sure you enter the Captcha information correctly, I always miss it the first few times 🙂
Once it does the back-end validation, you now get prompted with 2 options, 1 for a reset scenario, and one for an unlock scenario
Let’s look at a password reset first
Choose your verification method.
NOTE: The first time you use the service or login to an O365 portal, it will prompt you to configure your preferred methods.
You can also have them go here:
Let’s check our e-mail for the verification code.
There we go!
Now let’s enter in our new password.
NOTE: This WILL adhere to any on-premises GPOs that are setup around password policies today!
This should sync back to your on-premises directory in <500ms
Alright, let’s take a look at the new Unlock option
You’ll see that similarly, you’ll get prompted for your factor of authentication
Let’s check our e-mail and put it in
Now your account has been unlocked without ever talking to the helpdesk!
I also don’t want to overlook that fact, that in a Password Change scenario (where you know your password, but it may be expiring soon), you can also change that at any time without additional authentication since you’ve already logged into a service.
An example of this can be found in the MyApps portal
Let’s navigate to my user profile
And choose Change password
From here you can see we get taken to a portal where we 1st enter our OLD password (1st auth factor) and then our new password twice