In the previous blogpost I have discussed how to enable Azure Active Directory Premium in your tenant, in this post I’ll discuss the next prerequisite for the password writeback option, which is Self Service Password Reset (SSRP).
Enable Self Service Password Reset
When Azure AD Premium is enabled you’ll see a lot of new features in the Azure Portal. Obviously, the Self Service Password reset is disabled.
To Enable it, click Configure and in the user password reset policy click Yes. You can restrict users to access to the password reset, but for simplicity at this moment we keep the default No.
Before users can reset their passwords, they must first have at least one authentication method defined. An authentication method can be a mobile phone or an alternate email address, something that’s unique for a user.
For a cloud identity (i.e. a user that only exists in Office 365/Azure AD) this is fairly simple. Just enter the user’s mobile phone and/or alternate email address and you’re ready, as shown in the following figure.
When this user logs on the first time, either to OWA or the Azure Management Portal (but the latter doesn’t make sense), the user is presented the following window.
Click Set it up now to configure the Authentication options. As you can see the authentication phone and authentication email are already predefined:
When you click Verify at the Authentication Phone a text message containing a verification code is sent to the mobile phone. Enter the verification code and you’re done. For the Authentication Email the process is similar, but the verification code is sent to this alternate email address of course.
After the verification code is entered and verification is validated it is shown like the following figure:
For Synced Identities it is a bit different since these are managed on-premises and not in Azure Active Directory. Therefore, the authentication options are greyed out:
The problem however is that in your on-premises Active Directory there’s no such property as authentication phone or authentication email. The workaround is to use the mobile phone in on-premises Active Directory which is synchronized with Azure Active Directory. When the authentication phone is not available the mobile phone entry is automatically used in this scenario.
Add the mobile phone number in on-premises Active Directory using Active Directory Users and Computers as shown in the following figure and wait for Directory Synchronization to run (or force a synchronization cycle using the Start-ADSyncSyncCycle -PolicyType Delta command on the AADConnect server.
The next time you log on to OWA, you are redirected to the Azure portal. Again, click the Set it up now option. The Authentication Phone is predefined (remember, this is the original mobile phone option) but the Authentication Email is still empty:
At the Authentication Email, click the Set it up now option to enter an Authentication Email address. After entering the Email Address click the email me option just like the previous section. A verification code is sent to this Authentication Email address, enter this code in the appropriate textbox, click Verify and you’re good:
Use Self Service Password Reset (SSRP)
When SSRP is enabled, and the user forgets his password there’s the Forgot your password and Can’t access your account option in OWA:
Click Can’t access your account to access the SSRP. Enter your UserID and Captcha code to make sure you’re not a robot. Click Next to Continue.
In the Get back into your account window, you have the option to :
- Email the alternate email.
- Send a text message to the mobile phone.
- Have the mobile phone called.
For safety reasons, the mobile phone itself is not shown (only the last two digits) so enter the mobile phone number and click Text.
After a few seconds you will receive the verification code on your mobile phone. Enter the verification code and click Next to continue. You now have the option to enter a new password:
Once the password has been reset you should be able to logon to the account again.
In this blog post I showed how to enable the Self Service Password Reset (SSRP) tool. Built on top of Azure Active Directory Premium, you can use this tool for users in Office 365 to reset their password themselves using an Authentication Phone number or an Authentication Email address.
You can set these for cloud identities, but when using Directory Synchronization, you have to set the mobile phone number in on-premises Active Directory and have this replicated to Office 365. The SSRP automatically picks this mobile phone number for the Authentication Phone number.
In the next (and last) blog post I’ll discuss the password writeback option in Azure Active Directory Premium.