How to set up Azure AD self-service password reset (Cloud SSPR)

I am happily notice this new feature of Windows 10 Insider preview: Recover pin and password from the lock screen.
https://blogs.windows.com/windowsexperience/2017/07/13/announcing-windows-10-insider-preview-build-16241-pc-build-15230-mobile/

Recover your pin and password from the lock screen:  Self Service solutions empower end users, unburden helpdesk/IT admins, and save organizations money. Cloud Self Service Password Reset (Cloud SSPR) has been a really popular Azure AD Premium (AADP) feature and now we want to take this great capability one step further – Windows Integration. If you’re using an AADP or MSA account and you find yourself stuck at the login screen, you can now reset your password and PIN straight from here. Just click the “Reset password” (for password) / ”I forgot my PIN” (for PIN) link and you’ll be prompted to go through the AAD or MSA flow to reset it. Once reset, you’ll be returned to the login screen where you can login with your newly minted credentials.

In my last post “First step into Cloud“, I registered Enterprise Mobility + Security E5, so I can now test Azure AD self-service password reset with Windows 10 Inside Preview.

Microsoft detail documentations can be found https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-overview

Setup Azure AD Sync

Details: Follow https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-select-installation
Short version:

  1. Add your domain in Azure portal or Office portal
  2. Install one server for run Azure AD connector, join it to domain.
  3. Create a AD user account for Azure AD Sync.
  4. Install Azure AD Connector, use express settings. Open Azure AD connector again, enable password write back.

Assign licenses

  1. Create an AD group name Self-service Password Reset, and add some test user in the Group
  2. Sync AD group to Azure
  3. Open https://aad.portal.azure.com
  4. Click Licenses

  5. Assign EMS license to Self-service Password Reset AD group.

Set up reset password

  1. Choose Password reset
  2. Set the following settings:
    Properties: Select groups Self-Service Reset Password
    Authentication methods: Choose what is suitable for you, in my case I set it use phone and email
    Registration: Require users to register when signing in- Yes
    Notifications: Notify users on password resets- Yes
    Customization: Choose what is suitable for you

Add Company Branding

  1. Open https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/LoginTenantBrandingBlade
  2. Click on Configure.

  3. Add the elements you want to customize, they are optional

Open https://portal.office.com, login as user account that is member of Self-service Password Reset AD group, it force me to add additional security info.

It requires I set my phone number and email.

Windows 10 lock screen page (Azure AD joined)

When click I forgot my PIN:

Click forgot password?

Click Next

Because I just created a new user in my test lab, Default Group Policy setting: Minimum Password Age is set at 1 day, that’s why it didn’t let me change password.

For testing purposes, I changed Default Group Policy setting: Minimum Password Age to 0 day. After that, it let me reset my password immediately.

You can also reset your password from https://passwordreset.microsoftonline.com/

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: