Here’s a quick run-through of Azure AD Self Service Password Reset.

In this guide we will cover:

  • Configuration of Azure AD Self Service Password Reset
  • End User Experience for Registration
  • End User Experience for Self Service Password Reset via web
  • Configuration steps for Self Service Password Reset via login screen
  • End user experience for Self Service Password Reset via login screen

UPDATE: Now possible to use this capability for traditional Domain Joined computers

Configuration of Azure AD Self Service Password Reset

  • From the Azure Portal, head to Azure Active Directory, then choose Password reset.
  • Choose Properties, and toggle the user scope to All
    This allows users within the scope to reset their own password, provided they have a phone or email address registered
  • Choose Authentication methods. The default number of methods required to reset is 1, with Email and Mobile Phone available to users.
  • Choosing Security Questions will give additional configuration capability to allow you to choose security questions for end users to configure.
  • For this implementation, I have chosen Mobile phone and Security Questions, and 2 methods required.
  • Choose Registration to configure options regarding how users authentication info can be added.
    • If you set Require users to register when signing in? to Yes, users will be prompted to input their authentication info when signing in for the first time. If No, the user must manually visit the registration portal, or have the information preloaded by an administrator.
  • In the Notifications pane, you can choose to notify users via email if their password is reset via this tool.
  • The Customisation pane allows the helpdesk link to be overridden.
  • The On-Premises integration pane is required if ADConnect was configured in password writeback mode. If this is the case, the Write back passwords to your on-premises directory setting must be toggled to Yes, or users will be unable to use the tool.

End User Experience for Registration

  • As expected, on first login, users are prompted to add info to help recover their account
  • They are prompted to add the required information through the registration portal

End User Experience for Self Service Password Reset via web

By default, users can visit the following web page to use reset their password from anywhere:

Configuration steps for Self Service Password Reset via login screen

With Fall Creators update, it’s possible to integrate this functionality into the login screen.

To enable users to reset their Azure AD password from the Windows 10 login screen, the following requirements need to be met:

  • Windows 10, version 1709, or newer client that is Azure AD joined.
  • Azure AD self-service password reset must be enabled.
  • Configure and deploy the setting to enable the Reset password link via one of the following methods:
    • Intune device configuration profile
    • Registry key
  • From Intune portal, create a new Windows 10 Custom Profile containing the following OMA-URI Setting:
    • OMA-URI set to ./Vendor/MSFT/Policy/Config/Authentication/AllowAadPasswordReset
    • Data type set to Integer
    • Value set to 1
  • Assign this profile to the Windows 10 devices you would like to be enabled for the password reset link

End user experience for Self Service Password Reset via login screen

Once the Profile has been applied to the Windows 10 device, the login prompt will now display a Reset Password link under the Password field:

Clicking Reset Password takes the user to a captive portal for authentication and reset.

The reset procedure is the same as the Web version.

.

Note: Password policy from on-premise is enforced.

I believe that there will be support for on-prem Domain Joined devices to display the Password Reset link in a future Feature Update. I’ll test it out and post when it’s available.

Leave a Reply