Password resets are common service desk request IT engineers deals with. Passwords are weak authentication method. Passwords are breakable, crackable and guessable. This is why Microsoft invested on password less authentication such as Windows Hello. However, majority of systems still use traditional user name and password to authenticate.
When user forget their password, it prevents them from accessing the systems or services they trying to access. Until someone with higher privileges reset user’s password his/her time will be wasted. It is manageable for small number of users but if its large organization, it can cost lot for both parties. This is why organizations use self-service password reset solutions. It will allow its users to reset their passwords in secure, controlled environment.
When it comes to Azure AD, it also can allow users to have self-service password reset feature. In one of my previous blog post I explained how it can enable. It can access using http://www.rebeladmin.com/2016/01/step-by-step-guide-to-configure-self-service-password-reset-in-azure-ad/ . Now Azure AD also allows to reset password directly from login screen of Azure AD join windows 10 devices. In this post, I am going to demonstrate this feature.
In order to use this feature, Azure AD environment should have following,
1. Enable self-service password reset – By default Azure AD do not have this feature enable. It need to enable before users use this feature. It can be enable for all the users or group of users.
In my demo environment, I have it enable for all the users.
Also in here users can have one or two authentication methods to reset password. if it’s using two methods, it will verify user using both methods.
2. Password writeback for Hybrid Environments – If its Hybrid environment (with on-premises AD) password writeback option should enable. Otherwise password which reset from Azure AD will not replicate back. This option is available in Azure AD connect. If you not enable this option, even if you have self-service password reset enable it will not allow password reset for users.
3. Windows 10 Fall Creator Update – This password reset feature is only available for Windows 10 Version 1709. So, make sure device is running with latest update. it can be apply using windows update. more details can find via https://support.microsoft.com/en-gb/help/4028685/windows-10-get-the-fall-creators-update
In my demo environment, I have an Azure Domain Join Windows 10 PC.
After I enable self-service password reset, I am going to log in to this PC as user RA722725@therebeladmin.com
on my login, it says I need to provide additional info for password recovery.
Click on Set it up now to continue.
Then it provides list of options I can use to verify. Select the option you need and click Next.
Now we have recovery options setup, let’s see how password reset works from the device.
On my Azure AD join device, in login screen I type the user name. but I do not get any option for password reset. This is because I am also using PIN option for login. If you are using PIN you probably end up using PIN instead of password. so, if you using PIN and still need to recover password, click on Sign -in option
Then click on number pad sign to select PIN option.
Then click on I forgot my PIN option. I know this is confusing as we trying to reset password. but unfortunately, option is in PIN reset page.
Then it will open new window. In their click on Forgotten password option.
Now it opens a new window to reset password. click Next to proceed.
Then it gives option for verification. Select the method you like to use. You can’t change your registered data in here.
After successful verification, it gives option to define new password. after type new password, click on Next to proceed.
Then click on Finish to complete the process.
Then I can login to device with new password.
Cool ha???, as expected we were able to reset password on device login screen. This marks the end of this blog post. If you have any questions feel free to contact me on email@example.com also follow me on twitter @rebeladm to get updates about new blog posts.