How to set up Azure AD self-service password reset (Cloud SSPR)

I am happily notice this new feature of Windows 10 Insider preview: Recover pin and password from the lock screen.
https://blogs.windows.com/windowsexperience/2017/07/13/announcing-windows-10-insider-preview-build-16241-pc-build-15230-mobile/

Recover your pin and password from the lock screen:  Self Service solutions empower end users, unburden helpdesk/IT admins, and save organizations money. Cloud Self Service Password Reset (Cloud SSPR) has been a really popular Azure AD Premium (AADP) feature and now we want to take this great capability one step further – Windows Integration. If you’re using an AADP or MSA account and you find yourself stuck at the login screen, you can now reset your password and PIN straight from here. Just click the “Reset password” (for password) / ”I forgot my PIN” (for PIN) link and you’ll be prompted to go through the AAD or MSA flow to reset it. Once reset, you’ll be returned to the login screen where you can login with your newly minted credentials.

In my last post “First step into Cloud“, I registered Enterprise Mobility + Security E5, so I can now test Azure AD self-service password reset with Windows 10 Inside Preview.

Microsoft detail documentations can be found https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-overview

Setup Azure AD Sync

Details: Follow https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-select-installation
Short version:

  1. Add your domain in Azure portal or Office portal
  2. Install one server for run Azure AD connector, join it to domain.
  3. Create a AD user account for Azure AD Sync.
  4. Install Azure AD Connector, use express settings. Open Azure AD connector again, enable password write back.

Assign licenses

  1. Create an AD group name Self-service Password Reset, and add some test user in the Group
  2. Sync AD group to Azure
  3. Open https://aad.portal.azure.com
  4. Click Licenses

  5. Assign EMS license to Self-service Password Reset AD group.

Set up reset password

  1. Choose Password reset
  2. Set the following settings:
    Properties: Select groups Self-Service Reset Password
    Authentication methods: Choose what is suitable for you, in my case I set it use phone and email
    Registration: Require users to register when signing in- Yes
    Notifications: Notify users on password resets- Yes
    Customization: Choose what is suitable for you

Add Company Branding

  1. Open https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/LoginTenantBrandingBlade
  2. Click on Configure.

  3. Add the elements you want to customize, they are optional

 

Open https://portal.office.com, login as user account that is member of Self-service Password Reset AD group, it force me to add additional security info.

It requires I set my phone number and email.

Windows 10 lock screen page (Azure AD joined)

When click I forgot my PIN:

Click forgot password?

Click Next

Because I just created a new user in my test lab, Default Group Policy setting: Minimum Password Age is set at 1 day, that’s why it didn’t let me change password.

For testing purposes, I changed Default Group Policy setting: Minimum Password Age to 0 day. After that, it let me reset my password immediately.

You can also reset your password from https://passwordreset.microsoftonline.com/

4 thoughts on “How to set up Azure AD self-service password reset (Cloud SSPR)

  1. Nick Wiley

    Does the machine need to be Azure AD joined?

    Reply
    1. Zeng Yinghua (Sandy) Post author

      Hei Nick, reset password portal itself has nothing to do with Azure AD joined machine or domain joined machine, it is just a portal let users reset their passwords. But recover pin and password from the lock screen works only on Azure AD joined machine, I think it works only on windows 10 fall creators update (didn’t test yet) or Insider Preview.

      Reply
  2. Nick Wiley

    Thanks, we already had Cloud SSPR setup. I am able to get the it to work on a straight insider Preview AAD joined machine to show, however I was curious if it also worked on a Active Directory joined Insider preview machine.

    Reply
    1. Zeng Yinghua (Sandy) Post author

      No, the reset password on lock screen does not work on Active Directory joined machine, not yet for now. I would love to see that feature in the future too. 🙂

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: