Step-by-Step guide to configure self-service password reset in Azure AD
Password reset for AD users is a common call, ticket for the help desk. This is sometime negatively affecting company operations. Because users will not have access to systems and applications until the password reset by help desk engineers. What if we can allow end users to reset their passwords them self in a secure manner?
Yes Azure AD is now gives opportunity to enable self-service password reset for the end-users. Also the password resets can sync with on-premises AD.
This feature is disabled by default. In this demo I will explain how to enable this feature and configure.
On the demo setup I am using have Azure AD instance which is sync with on-premises windows server 2016 TP4 AD.
1) Log in to the Azure Portal and load the Azure AD Instance
2) Then in Dashboard, under configure services you can find option “Self Service Password Reset” By default it’s disabled. Click on “Configure” to proceed with configuration.
3) Then in next page under User Password Reset Policy select option “Yes” next to “Users enabled for password reset”
4) Now it will give you options to configure the policy for the password reset. Let’s look in to some of these options and understand what they do.
Restrict access to password reset – Using this option password reset can only allow for a security group instead of allowing it for every user in the instance. Any member of allowed security group will get option to do a self-service password reset.
Authentication Methods Available to Users – its allow you to use following options to select with. We can allow to use any selected authentication methods for users.
Number of Authentication Methods Required – In this option we can choose how many methods required for successful password reset
Require users to register when signing in? – When this option is enabled users can register their own authentication method when sign up.
Write back passwords to on-premises active directory – with this option if a user reset password using self-service portal it will write back to the on-premises AD too.
In order to get this write back option work, it need to be enabled in Azure AD connect in on-premises AD.
5) In demo I am configuring “Security Questions” as authentication method. With that option you can define the different security questions, as well as the number of questions required to answer.
6) Once options are configure click on save to apply the changes.
7) Let’s see how it works in user end. I am trying to log in to azure portal as standard user. In first login it’s ask additional information to setup for password reset. Click on setup to provide the additional info.
8) Now all the additional info is saved. Let’s see how it works. I am going to log in with wrong password to simulate it. As soon as I done it, it ask if you need to reset the login.
9) Clicked on “Forgot your password ?” option
10) As first check it’s asking to enter the characters in picture. Click next to continue
11) Then it ask which option to use for the password reset, according to the policy. Select the option you like to use.
12) Then it’s ask for the second authentication. As per the policy.
13) Once authentication success, it’s ask to submit the new password.
If you have any questions about the post feel free to ask me on firstname.lastname@example.org