In part 4 of this series on implementing modern security tools, we will now look at how to empower end users to remove the burden of many an IT helpdesk. Yes of course, we are talking about the “can you please reset my password” call that helpdesk’s around the globe receive on a daily and often more frequent basis, and how to reduce or eliminate these calls with Azure Self-Service Password Reset.
- Implementing Modern Security Tools – Part 1 – Azure AD Password Protection
- Implementing Modern Security Tools – Part 2 – Microsoft LAPS
- Implementing Modern Security Tools – Part 3 – Conditional Access
- Implementing Modern Security Tools – Part 4 – Password Reset
Consumerisation of IT
In the past decade, more so than any that have come before it, the world of consumer-based IT systems and applications has driven what end users expect. Today there are very few exceptions whereby a consumer could not, for instance, perform a reset of their account details via a self-service portal.
Up until recently, enterprise adoption of self-service systems, however, was something that often required third party solutions. With the move to the hybrid / co-managed world, we can now use cloud delivered services, on-premise. A great use case for this is Azure Self-Service Password Reset.
Azure Self-Service Password Reset
Azure Active Directory Password Reset, provides the ability to self-service the resetting of the end user’s password. Limiting to groups of users, requiring multi-factor authentication, and most importantly, full auditing, are all core features of this service. The join between the Azure and on-premise active directory is of course handled by Azure AD Connect, and more specifically requires the password write-back feature to be enabled. So let’s run through what the self service reset process looks like, and how to set it up from scratch.
Microsoft provide detailed information on the service here – https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks
Enabling Azure Self-Service Password Reset
Azure AD Connect
- First of all we need to ensure that Azure AD Connect is enabled for Password Write-Back;
- Open the Azure AD Connect setup;
- Click on “View Current Configuration“
- Click Next
- Scroll down and check the value under “PASSWORD WRITEBACK”
- If the password write-back feature is disabled, simply go back a step and click on “Customize synchronization options“
- When prompted enter your Azure AD administrative account details
- Click on Next until you get to the “Optional Features” page;
- Check the “Password writeback” checkbox
- Click next through the remaining screens
With Azure AD Connect enabled for password write-back, the next step to do is enable the feature in the Azure portal.
- Launch the Azure portal and log in with an administrative account – https://portal.azure.com
- Click on the Azure Active Directory blade
- Click on Password Reset
- Now we need to decide who should have password reset access. The options are none (default), selected and all. In this case I am limiting the feature to members of the “SCConfigMgr Lab Users” group
- Click Authentication methods
- Select the number and type of authentication methods required (I would suggest two in production environment)
- Save the settings
- Click on Registration
- Require the users to register when signing in for the first time (post enabling) and set a period to prompt for re-confirmation of details;
- Save the settings
- Click on Notifications
- Specify whether you want users to receive password reset notifications, and whether all administrators should receive notification of administrator password resets;
- Clicking on the “On-Premise” integration will display the current status of your on-premise server along with options for enabling/disabling password write-back and unlocking of user accounts;
The End-User Experience
Once enabled for the password reset service, the end-user will need to run through a registration process. This process is required to set up the additional verification methods to ensure that the user is who they claim to be. In the below example I am using the Office 365 portal sign on page for examples.
- User opens the Office 365 portal page
- Signs in using their Active Directory / Office 365 logon
- They are now prompted to provide additional account information;
- Earlier we had set the requirement to Mobile Phone, the end user is now prompted to “Set up” their details;
- The user is now prompted for their phone number;
- The user is prompted for the verification code
- Once the confirmation code is verified, the user is now set up for password reset
Password Reset Process
Now that the user has registered, lets run through what the reset process looks like;
- User opens the Office 365 portal
- Clicks on the “Forgotten my password” link
- They are prompted for captcha verification:
- Selects the “I’ve forgotten my password” option and clicks next
- The user is prompted for their mobile phone number. This must match that set up during the registration process;
- The verification code is entered
- The user enters a new password;
- The password reset process has been completed and the user receives confirmation;
Password Reset Logging
To check password resets have been successful, you can view the audit logs on the Azure Portal.
- To do so, simply open the portal again
- Click on Azure Active Directory
- Click on Password Reset
- Click on Audit Logs
On your domain controller(s) you will also see event ID 4742 generated when a reset event occurs;
Azure Self-Service Password Reset is a quick and easy means of empowering users to take control, when their password just won’t come to them, or for consultants who do not log into sites on a regular basis, but also need to at a moments notice.
Thanks for reading