Changing Your Password with Office 365 FAQ

I get asked by a lot of customers around what I can do with changing the password in the cloud via Office 365.  It is pretty confusing with all the different variables and it took me a bit to parse through the scenarios myself. I wrote a quick FAQ to help with your understanding:

 

Can I change my password in Office 365 if I know my password?

This depends on many factors such as where is the password sourced. If you have a cloud only account (e.g. Dirsync only with no password sync) you can change your password in the cloud as long as you know your existing password.

You will receive this when you want to change your password in OWA with a cloud only identity:

 

image

If you have an ADFS or Dirsync with Password sync identity it will not allow you to change your password in the cloud. You will receive:

image

 

Can I change my password in Office 365 if I forgot my password?

Currently, only Office 365 administrators can conduct self-service password reset (SSPR) on forgotten passwords for cloud only identities (note: it’s a good best practice to have admin cloud only identities in case ADFS or something occurs locally).You will receive an option such as this as an administrator:

image

 Update as of 2-17-15 there is now SSPR for cloud only identities see here.

If you attempt to change your forgotten password as a standard cloud only (managed identity) account you receive this screen:

image

The only option for standard cloud only accounts to change a forgotten password is to call into their IT helpdesk for a password reset.

If you attempt to change your forgotten password as an ADFS or Dirsync with Password sync active directory identity you will receive because the password is sourced in your local AD:

image

 

Is there a way I can change my local AD password in Office 365 and have it change my local AD password also?

Yes, if you purchase Azure AD Premium there is a new two-way password sync option available to you. This will allow password changes to occur in the cloud and then sync those password changes down to your local AD so the passwords are in sync.

See here for a feature matrix on Azure AD Premium vs. Azure AD free (comes with Office 365).

See here for guidance on how to enable Two-way password sync with Office 365 and Azure AD Premium.

Two way password reset in action with Azure AD Premium:

image

How do I change my password in Office 365 if I know it and I have ADFS or Dirsync with Password sync?

For this scenario, IT will have to provide an on premises mechanism to change your local AD password (e.g. ADFS in 2012 R2 now has password change page for workplace joined devices, change directly on a domain joined workstation, leverage a web page for self service, helpdesk call, etc)

image

new ADFS 2012 R2 password change web page

Alternatively, if you obtain an Azure AD Premium license you can enable two-way password sync (see above for enablement steps) from cloud to on prem Active Directory.

How do I change my password in Office 365 if I forgot my password and I have ADFS or Dirsync with Password sync?

For this scenario, IT will have to provide an on premise mechanism to change your local forgotten password (e.g. leverage a web site for self service reset such as with FIM 2010 R2 or help desk call).

image

FIM 2010 R2 SSPR on site option

 

Alternatively, if you obtain an Azure AD Premium license you can enable SSPR and two way password sync (see above for enablement steps) from cloud to on prem Active Directory.

Can I change the brand the password Login page for Office 365/Azure AD and the Self Service password reset page?

If you have a cloud only identity or a dirsynced with password synced identity you can brand the login page with a custom color/logo and contact information using Azure AD Basic or Azure AD Premium license. See here:    Update as of 2-17-15 there is now Branded Login feature available for all Office 365 customers see here.

image

 

If I have an ADFS login for Office 365, you can also brand the ADFS login page. See steps here:

image

ADFS with Windows Server 2012 R2 custom branded login page

Can I use my local Active Directory Password to access Office 365 services?  

Yes, you can if you have enabled Dirsync with Password sync or if you enable ADFS federated login.  Both scenarios will allow you to log into Office 365 with a local Active Directory Password. One is a password copy in the cloud and one is a federated identity using local AD for authentication.

See here for more information on Dirsync with Password sync.