How to setup Self-Service Password Reset in Azure AD Connect

Security

If you are concerned about the security, the feature itself is quite safe.

The feature is run through Azure AD Connect but any actions done to it cannot be initiated directly. The network channel used for password writeback operations (for example password reset) is initiated from the Azure AD Connect computer on-premises to the cloud service using Azure Service Bus; this technology uses bi-directional sockets to enable the operations at runtime.

Now from a security perspective, the communication uses the following encryption mechanisms.

RSA 2048 Private/Public key pair AES_GCM (256-bits key, 96-bits IV size)

When Azure AD Connect is configured, a new private/public key is generated. The cloud backend only knows the public key and the Azure AD Connect keeps the private key. In addition to this, a AES_GCM symmetric key is exchanged for use at runtime. The key is 32 bytes (256-bit) key, 12 bytes (96-bit) nonce, 16 bytes (128-bit) tag. The requests from the cloud service include the new password (encrypted with the public key described above), as well as metadata. Then, the request information is encrypted with AES_GCM as described above and then sent on-premises via Azure Service Bus.

How to implement Self-Service Password Reset in Azure AD Connect

The first step is to enable, Password Writeback in Azure AD Connect.

And note: This feature works with federated, pass-through authentication, or password hash synchronized based users.

All users in the local Active Directory should have the following attributes populated. This can either be sourced from attributes in Active Directory that are synced out or if users have already enabled MFA on the users in Azure AD.

If MFA is not enabled that ensure that users have the following attributes added.

And if you have created your Azure AD connect service account with limited access you need to ensure that the service account has the following access to your local Active Directory to ensure it can change passwords.

• Reset password
• Change password
• Write permissions on lockoutTime
• Write permissions on pwdLastSet

Once it is enabled you can see the feature will be reporting as available in the Azure AD Portal.

Here you can also define if users can reset their passwords without changing their passwords as well.

Under Properties you also define which user groups which are allowed to change their passwords.

You should only have a Azure AD Group enabled which contains users that are licensed to reset their passwords in case not all users have the correct licenses.

Also under registration you need to to define what kind of methods that need to be configured in order for the password reset option to be used for an end-users.

What is the end-user experience when users are enabled to SSPR?

1. Once Self-Service Password Reset is enabled on the user account, the user will go to the Office 365 portal or to Outlook on the Web or any Office 365 service to login with the existing username and password.

2. After entering the password, the user will get a prompt saying, Your organization needs more information to keep your account secure. Click Next.

3. This screen appears only when the user is signing in for the first time after their account is enabled for SSPR. In this step, the user will have to setup the Authentication Phone and Authentication Email to be able to reset the password in case the user forgets it.

4. Click on Set it up now link against each one – Authentication Phone and Authentication email.

5. Once the user completes the setup for both the Authentication methods, then click on Finish.

Read more

How-to: Configure password writeback

 

Get Started Today

For more information, call 877-788-1617 or email [email protected]