Skip to content

Enterprise Mobility + Security


Howdy folks,

Time for the next Azure AD Mailbag blog post.

Mark Morowczynski from our Customer Success Team is our guest blogger today and he’s going to be sharing some tips on deploying and using Self-Service Password Reset. To give credit where it’s due, the Azure AD Mailbag series was Mark’s idea in the first place. So if you like this series, makes sure to let Mark know!

Best regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

———————–

Hey y’all, Mark Morowczynski here. You might remember me from my days on the AskPFEPlatforms blog. I’ve escaped the cold and pizza of Chicago for the rain and granola of Seattle and joined Active Directory Customer Success Team that Ryen Macababbad talked about here earlier. So far the feedback of these mailbags has been really positive so we’ll keep at them. This mailbag will focus on Self Service Password Reset (SSPR). Let’s dig in.

Question: I’m currently testing out SSPR and I’ve set my verification method to one but every time I try this, I get prompted for two verification methods. What is going on here?

Answer: You are most likely testing with an Administrative account. These accounts require that two methods to perform an SSPR. Make sure you are testing with an end user account. There is a wealth of good SSPR troubleshooting found at

https://azure.microsoft.com/en-us/documentation/articles/active-directory-passwords-troubleshoot/ You’ll actually see that the SSPR policy settings you can set only apply to end users.

Question: I don’t have any Azure AD Premium or Azure AD Basic licenses, can I still use self-service password reset?

Answer: Most definitely! Any managed users (e.g. cloud only) who have a paid Office 365 license, can use password reset for no additional charge. If you are an Office customer and don’t already have access to the Azure Management Portal and you want to enable this for your cloud users, then follow the steps below:

  • Navigate to the Office Administration Portal.
  • Click on the “service settings” link on the left hand nav bar.
  • Click on “passwords” link underneath “service settings”.
  • Click on the “Azure AD Admin center” link.
  • If you don’t have an Azure subscription, this will get you a free one (you just need to enter your phone number).
  • Once you get the activation email, you’re all set, and you can follow these instructions to enable password reset.

 Question: We are a global company and for our security questions we only see English. Is there an option for multiple languages?

 Answer: Yes! Just use the “knowledge-based security questions” option when setting up password reset. This will actually work automatically based on the browser language that is set. However any custom questions you write yourself, will NOT be translated automatically. As you can see below my custom question is still in English but everything else is in Spanish.

(it’s the Mets)

Question: I’ve turned on Self Service Password Reset and it’s open to all users but nobody is registering. What do I do.

Answer: If your users frequently sign in to web apps, like Exchange Online, SharePoint, or an integrated SaaS application such as Salesforce or Workday, then your best bet is to use the password reset “Enforced Registration” feature. To turn this on, just go to the Azure Management portal, click on your directory, and on the “configure” tab, make sure the “Require users to register when signing in?” toggle is set to “yes”.

Once you turn this on, your users will see the screen below when they sign in, which will take them to the password reset registration page where they can provide their authentication info. Don’t worry, we won’t block your users from signing in, they can cancel and choose to register later if they want.

If your users do not frequently sign in to web apps, don’t worry, you can still get them registered for password reset. Check out the best practices guide for resources and instructions on how to get going. 

Question: I love the SSPR functionality but my users authenticate with AD FS. Is there a way I can leverage SSPR with ADFS?

A: UpdatedApril 2nd 2017

For a more complicated use case follow the steps below of modifying the ADFS Theme. First try the following:

Set-AdfsGlobalWebContent -SignInPageDescriptionText “<p> <A href=’aad-password-reset-url’>Can’t access your account.</A> </p>”

Absolutely! It only takes three steps using AD FS 2012 R2 web theme customization to add a nice “Can’t access your account?” link in the sign-in page like below:

Step 1: Create and export the AD FS Web Theme

Use Windows PowerShell to create a new AD FS web theme from the current one and to export its different resources to your local disk. We will use this new theme to add the link directing users to the password reset page. Just type in the highlighted commands: “New-ADFSWebTheme -Name ADFSAndSSPRFun -SourceName default”. “Export-ADFSWebTheme -Name ADFSAndSSPRFun -DirectoryPath C:customization”

PS C:customization> New-AdfsWebTheme –Name ADFSAndSSPRFun –SourceName default
Name : ADFSAndSSPRFun
IsBuiltinTheme : False
StyleSheet : {[, System.Byte[]]}
RTLStyleSheet : {42, 32, 123, 13…}

Logo : {}

Illustration : {[, System.Byte[]]}

AdditionalFileResources : {[/adfs/portal/script/onload.js, System.Byte[]], [/adfs/portal/images/idp/localsts.png,

System.Byte[]], [/adfs/portal/images/idp/idp.png, System.Byte[]],

[/adfs/portal/images/idp/otherorganizations.png, System.Byte[]]}

CurrentMatchIndex ReplacementIndex ReplacementLength CompletionMatches

—————– —————- —————– —————–

-1 49 10 {System.Management.Automat…

PS C:customization> Export-AdfsWebTheme –Name ADFSAndSSPRFun –DirectoryPath C:customization

 After this step, all the images, CSS, scripts, and other resources will be available in the local directory you specified (in this example c:Customization). The folder structure should look like this:

Step 2: Tweak onload.js to add the link

Edit the onload.js file, (located under the “script” folder in the root directory you exported to in step 1) and add this little script snippet at the end. This will add the link at the end of the page:

// Add link for password reset, if we find the forms authentication element in the page
var formsAuthArea = document.getElementById(“formsAuthenticationArea”);
if (formsAuthArea)
{

//Create the hyperlink

var pwdResetLink = document.createElement(‘a’);

var linkText = document.createTextNode(“Can’t access your account?”);

pwdResetLink.appendChild(linkText);

pwdResetLink.title = “Can’t access your account?”;

pwdResetLink.href = https://passwordreset.microsoftonline.com/;

document.body.appendChild(pwdResetLink);


//append to the authArea

var authArea = document.getElementById(“authArea”);

authArea.appendChild(pwdResetLink);

}

Step 3: Upload the new content and switch to the new theme

Finally, use Windows PowerShell to upload our modified onload.js file from step 2, in the theme we created in step 1.

Once the theme is updated, we’ll switch AD FS to use the new theme.

Set-AdfsWebTheme -TargetName ADFSAndSSPRFun -AdditionalFileResource @{Uri=’/adfs/portal/script/onload.js’;path=”c:customizationscriptonload.js”}

Set-AdfsWebConfig -ActiveThemeName ADFSAndSSPRFun

PS C:customization> Set-AdfsWebTheme -TargetName ADFSAndSSPRFun -AdditionalFileResource @{Uri=’/adfs/portal/script/onload.js’;path=”c:customizationscriptonload.js”}
PS C:customization> Set-AdfsWebConfig -ActiveThemeName ADFSAndSSPRFun

 And that’s it. Now your users easily access the Self Service Password Reset capabilities.

One of the bits of feedback we received from our last post is we didn’t make it very clear on how to interact with us. First you can follow us on Twitter at @AzureAD. We have also set up an email address where you can send in your questions at AskAzureADBlog@microsoft.com. I also want to point out we have the Microsoft Forums here. Finally if you found this post useful please share it on Twitter with @AzureAD, @MarkMorow and  @Alex_A_Simons. We love hearing feedback from our readers. Talk to you next week!

-Mark Morowczynski, Adam Steenwyk, Ryen Macababbad, and Ramiro Calderon