Unlocking Live@edu accounts and other password reset options

If you have the opportunity to take a vacation to some exotic location this holiday season…Congratulations! You deserve it.

But keep in mind that your Live@edu users may be planning to do the same.

Whether it’s a trip to the mountains, the beach, somewhere close or somewhere far away, an interesting thing happens when people relax, unwind, and unplug. People forget their passwords.

Research studies show that it is impossible for human beings to remember account passwords after “being offline” for more than three consecutive days. Kidding…I have no data to support this claim. Smile 

Here are two tips that may make it easier when you (and all of your Live@edu users) return from those extended breaks.

  • Outlook Live administrators can reset user passwords AND unlock or unblock Live@edu accounts using the Exchange Control Panel (ECP) or Windows PowerShell.
  • Encourage your Live@edu users to enter an alternate email address and/or mobile phone number at https://account.live.com to enable user-initiated password reset options.

 

Unlocking Live@edu Accounts

After multiple unsuccessful login attempts, a Live@edu user may find oneself “locked out” or blocked from signing in to Outlook Live and Windows Live SkyDrive.

IMPORTANT: In order to unlock or unblock a Live@edu account, an Outlook Live administrator (Organization Management or Helpdesk role group) must reset the password AND require password change on next logon for the affected account.

IMPORTANT: Instruct users to update the Live@edu account password in all mobile devices and email clients after a password reset. 

IMPORTANT: If using Password Change Notification Service (PCNS) with ILM 2007 or FIM 2010 and OLSync, please see below for additional steps to keep on-premises passwords sync’d with Live@edu passwords when unlocking or unblocking Live@edu accounts.

 

Resetting user passwords and unlocking Live@edu accounts in ECP

 

Login as an Outlook Live administrator to the Exchange Control Panel (ECP) at https://outlook.com/ecp

Go to Users & Groups > Mailboxes and select the locked account

With the account still selected, click Reset password…

ecp-mailboxes-reset-password

Enter Password, Confirm password and select the check box to Require password change on next logon

For additional information on resetting user passwords and unlocking Live@edu accounts using the Exchange Control Panel (ECP), please see Reset a User's Password.

 

Resetting user passwords and unlocking Live@edu accounts in PowerShell

Connect to Exchange Online or Outlook Live using Windows PowerShell

Install and Configure Windows PowerShell
Connect Windows PowerShell to the Service

Run the following command, but replace user1@consoso.edu with the Windows Live ID of the “locked out” user and replace Pa$$word1 with the desired temporary password.

Unlocking an account with Windows PowerShell requires the parameters –Password and –ResetPasswordOnNextLogon $true.

Set-Mailbox user1@contoso.edu -Password (ConvertTo-SecureString -String 'Pa$$word1' -AsPlainText -Force) -ResetPasswordOnNextLogon $true

For additional information on resetting user passwords and unlocking Live@edu accounts using Windows PowerShell, please see Reset a Live@edu User's Password with Windows PowerShell.

 

Resetting user passwords and unlocking Live@edu accounts when using OLSync with PCNS

The Password Change Notification Service (PCNS) is a one-way synchronization of passwords from on-premises AD to Live@edu. In order for PCNS to keep passwords synced, all password changes must originate in on-premises AD.

If users are permitted to change passwords in Windows Live, then passwords will get out of sync. It’s recommended to disable a user’s ability to change one’s password in Windows Live or to redirect a user’s Live@edu-side password change request back to an Internet-facing on-premises password change portal. This can be configured per domain in the Service Management Portal (https://eduadmin.live.com), e.g. SMP > Domains > contoso.edu > Password Reset Settings > Edit these settings > “Redirect domain members to the following Web site in order to reset their passwords”.

In Outlook Live, the -ResetPasswordOnNextLogon $true parameter is required to “unblock” a locked out account. This flag prompts the user to change the password in Windows Live and it ignores the domain’s Password Reset Settings. This creates a scenario where a user’s on-premises password is not the same as the Windows Live password.

What can be done? An admin should first unblock the Live@edu account via ECP or PowerShell, then set the password again in on-premises Active Directory Users and Computers (ADUC) or via some other on-premises password reset process. The ADUC “user must change password at the next logon” setting only applies to an on-premises logon to AD. A user will be prompted to change the password the next time one logs in to AD, and the password will be synced by PCNS.

When working with remote users, it’s best to provide the temporary password to a user and direct them to an on-premises self-service password reset portal to change the password. This self-service password change portal (not included with the service) would set the password in on-premises AD, then PCNS would push the password to Live@edu.

 

User-Initiated Password Reset Options

If a Live@edu user adds an alternate email address and/or mobile phone number at https://account.live.com, then there are additional password reset options available to the user.

IMPORTANT: Instruct users to update the Live@edu account password in all mobile devices and email clients after a password reset.

IMPORTANT: If using Password Change Notification Service (PCNS) with ILM 2007 or FIM 2010 and OLSync, Live@edu users should use the school’s password reset procedures.

 

Adding alternate email address and/or mobile phone number for resetting your password

 

Go to https://account.live.com and sign in

Under Account Security > Security Info, click the Manage link (right side)

windows-live-account-security

On the Manage Security Info page, enter Mobile phone number and/or Alternate email address

windows-live-security-info-phone-email-question

Click Save

 

Resetting a forgotten password using alternate email address and/or mobile phone number

If a user is unable to login to https://outlook.com and receives the message “You’ve tried to sign in too many times with an incorrect email address or password,” then you might recommend resetting the password by clicking the “Can’t access your account? ” link on the Outlook Live Sign In page.

unlock-unblock-ive-edu-accounts-ecp-powershell-captcha windows-live-sign-in-access-account

A user will need to enter a valid Windows Live ID and the Characters from the CAPTCHA

windows-live-reset-your-password-captcha

When a user selects I forgot my password, he or she will be presented with additional password reset options, e.g. Email me reset link or Send a code to my mobile phone

windows-live-reset-your-password

 

Email me a reset link Send a code to my mobile phone
windows-live-reset-your-password-email-reset-link windows-live-reset-your-password-send-code-mobile-phone

 

______________________________

Thanks for joining us today!

Zion Brewer

______________________________