Step-By-Step: Enabling an Azure Active Directory Self-Service Password Reset

Password reset requests are a common nuisance for system administrators and the people they support.  Company operations can be negatively affected if users are not provided access to systems and applications promptly.  IT Professionals roll their eyes at password reset requests as they often come in while performing an important task.

What if end users could securely reset their passwords themselves?  

Azure Active Directory can now provide the opportunity for system administrators to enable self-service password reset for the end-users which also can reset on premise passwords when in a sync or federated Active Directory implementation.

The following video details the steps required:

The steps below differ slightly from the video above as it highlights an Azure AD instance synchronizing with an on premise Windows Server 2016 TP4 Active Directory implementation.

Lets begin.

Step 1: Enablement of Self Service Password Reset

  1. Log in to the Azure Portal and load the Azure AD Instance

  2. In Dashboard, under configure services, locate Self Service Password Reset which is disabled by delfault and click Configure spw1

  3. Find Users enabled for password reset under User Password Reset Policy and select Yes 

    spw2

  4. Two options are now provided to configure the policy for the password reset:

    Restrict access to password reset – this option enables a password reset which can only allow for a security group instead of allowing it for every user in the instance. Any member of allowed security group will get option to do a self-service password reset.

    Authentication Methods Available to Users – allows for choice of options to select verify authentication with.

    spw3

    Number of Authentication Methods Required – choice of how many methods are required for successful password resetRequire users to register when signing in? – When this option is enabled users can register their own authentication method when sign up

    Write back passwords to on-premises active directory – enables an end user to reset their password using self-service portal and writing back said password to the on-premises AD

    The write back option must be enabled in Azure AD connect and in on-premises AD for this option to work

    aad1

  5. This step-by-step will utilize Security Questions as authentication method which will allow the option of defining different security questions as well as the number of questions required to answerspw4

  6. Click on save to apply the changes once options are configuredspw5

Self service password reset is now enabled. Next will cover the end user steps to reset their password.

Step 2: Utilizing the Self Service Password Reset Capability

The end user will be asked for additional information when said end user is attempting to log in to the azure portal as standard user for the first time after the self service password reset has been enabled and must click on Set it up now to provide the required additional info

spw6 spw7

All the additional info is saved once finished is selected.

Should the end user forget their password in future as visualized below:

spw8

The user can then click Forgot your password? The next screen verifies that the end user is indeed human and not a bot by entering the account in question and responding to a visual verification.
spw9

This is then followed by choice of option to enable the password reset, according to the policy.

spw10

Followed by the second authentication request as per the policy.

spw11

The end user is then asked for their new password once authentication password has been verified.

spw12