Since announcing Azure Active Directory’s support for managing shared company accounts for Twitter, Facebook and more, we’ve received a ton of interest and feedback. Given many of the recent high-profile takeovers of company owned social media accounts, this is a capability a LOT of you are keenly interested in.
As you’ll recall, our password-based single sign-on gives you the ability to centrally manage sets of application-specific credentials, and assign those to users and groups for individual or shared account access. For example, if your marketing team is sharing a single username and password to update your company’s Facebook account, you can assign those credentials to a marketing group in Azure AD where they can be centrally managed, and have these users access the app through the Azure AD Access Panel, My Apps mobile apps, or Azure AD single sign-on links where they can easily access this account without knowing the account credentials.
We’ve been listening to your feedback and one of the biggest requests you’ve had is the ability to automatically change the passwords on these accounts on a preset interval.
Today we’re pleased to announce a preview of automatic password rollover and management for Facebook, Twitter, and LinkedIn. This capability helps to further protect these social media accounts by automatically updating them with new strong complex passwords at an interval you define.
Here’s how it works:
- Sign into the Azure management portal.
- Under the Active Directory section, select your directory, then select the Applications tab.
- To add Facebook, Twitter, or LinkedIn from the Azure AD app gallery, click the Add button and use the gallery option to select your app.
- After your app has been added, you’ll get the app Quick Start page. Click Configure Single Sign-On and select the Password Single Sign-On option.
- Next, click Assign Users. Search for the name of a user or group that you want to assign application credentials to, select it from the list, and click the Assign button at the bottom of the screen. You’ll get a dialog like the one below.
- Check I want to enter credentials… and enter the valid username and password of the account you want to enable password management for. As this is a preview, we recommend using a test account to start. This account should also not be assigned to other users or groups while automatic password rollover is enabled.
- Check I want to enable automatic password rollover option, and select Next. If this check box does not appear, then go here to get a free trial of Azure AD Premium.
On the Configure Password Rollover screen, select the frequency at which Azure AD will sign into the app and rollover the password for the provided account. During each rollover, the password is updated using a randomly-generated 16-character strong password.
- Select Complete to enable password rollover and management.
After signing in to one of these options with their regular Azure AD account, assigned users will be automatically signed into the application using the stored username and the latest stored password. Azure AD will use the originally provided password until the first rollover, at which point a new password is generated, automatically updated in the application, and then securely stored in place of the original password in the directory.
If you want to see all accounts that have been set up for automatic password rollover, and also get reports on whether or not passwords are being successfully updated, you can check out the new Password Rollover Status report under the Reports tab for your directory in the Azure management portal.
There is also password rollover status shown under the Dashboard tab under each application.
Disabling automatic password rollover
If you want to disable automatic password rollover and regain normal password-based access, use the “I forgot my password” procedure provided by the application, and use the use the [Application] > Users and Groups tab in the Azure management portal to modify or remove access to the app. The links to reset account passwords for each of the supported applications are below:
As always, we look forward to your feedback!
Alex Simons (Twitter: @Alex_A_Simons)
Director of Program Management
Microsoft Identity and Security Division