Configure Self-Service Password Reset with Cloud Sync
Self-Service Password reset is just one of many features that reduce the pressure on support staff. Often users and admins get frustrated when it comes to resetting passwords, “Can you try Bf756dsgT!” Short Pause… “Is that F for foxtrot or S for sugar?”. Once you get past this stage, the user then has to type it again and then think of a new password, the whole process is just sub-optimal.
With today’s cloud infrastructure you can relieve both end users and also admins from this stress and also streamline the process with Self-Service Password Reset or SSPR for short. I am not going to tell you that this is a silver bullet with one shot clearing out all password reset calls, as it won’t. The key to the success of SSPR and the ROI is stakeholder buy-in and great communication.
I have seen SSPR used each time a user needs to update their password. This is due to focusing on a Passwordless strategy, which provides a more secure method of authentication.
If this is a goal for you, then this may be a piece in your puzzle!
For those of you awesome ladies and gentlemen that follow me on twitter, or have seen my recent VLOGs you may have seen that I blew my entire lab away and started a fresh, with the aim of blogging/vlogging/tweeting about elements of the rebuild along the way.
This time around, I chose to use Cloud Sync as my gateway to hybrid identities as it is lightweight, provides a more seamless High-Availability offering and fits perfectly for what I want to achieve, so this will be the area in which we focus on in this post for SSPR.
- Azure AD tenant with at least an Azure AD Premium P1 or trial license enabled. If needed, create one for free.
- Global Administrator Account
- Azure AD Connect cloud sync version 1.1.972.0 or later
Enable Self-Service Password Reset
This may seem an obvious step, but I have often seen it missed.
- Head over to the Azure Active Directory Portal
- Click Azure Active Directory in the left-hand pane
- Click Password Reset
On the Properties page you will see the below options, ensure you configure this to suit your organisational needs, for this Lab I will be setting it to All. Once you have made your selection, click Save.
Configure On-Premise Integration
On the assumption that you are still on the Password Reset blade from the above section.
- Click on On-premises integration
- Select Enable password write back for synced users
- Select Write back password with Azure AD Connect Cloud Sync
- Click Save
Personally, I would leave the Allow users to Unlock accounts without resetting their passwords un-selected, but this would be a decision you can take away to discuss with peers and the organisation.
You can also use powershell to configure Password Writeback, however, when using PowerShell to complete this you will not see it visually in the Azure Portal (or at least your couldn’t at the time of publishing this article).
- Logon to the Server hosting the Agent
- Launch an Administrative PowerShell Prompt
- Run the following commands;
Import-Module 'C:\\Program Files\\Microsoft Azure AD Connect Provisioning Agent\\Microsoft.CloudSync.Powershell.dll'
Set-AADCloudSyncPasswordWritebackConfiguration -Enable $true -Credential $(Get-Credential)
- Enter your Global Administrator credentials
Using SSPR is super simple, all the user has to do it browse to https://aka.ms/sspr and enter their username, complete the captcha and then follow the prompts to use one (or two) of their chosen security methods and then they can enter a new password.
The whole process takes about 1-2 minutes. This is often quicker than the wait in the queue for a support staff call.
If you notice that after completing the configuration that when attempting SSPR you receive error SSPR_010, try turning SSPR off and on again (Yes!! Really!!).
Thank you to Maurice Daly for his input on this one!! I was searching for a mountain and missing a mole hill. Sandy Zeng also has a similar issue with Azure AD Connect previously, Take a look at Sunday debug: password reset failed for the things Sandy tried and the process she went through.