Wednesday, February 11, 2015

Enabling Self Service Password Resets in Office 365

One of the most common tasks that any IT administrator performs is to reset users passwords. This means that a lot of this administration can be alleviated if the users are able to reset their own passwords.

You can enable user self service password resets in Office 365, however at this point in time you need to have an Azure Active Directory Basic or Premium subscription enabled on your Office 365 Azure AD Free account. I showed you how to enable this for every Office 365 account a few posts back.

It is also important at this point to highlight some information from the Office 365 roadmap. Under “Development” you will currently find:

Sign-In Page Branding and Self Service Password Reset

Sign-in Page Branding enables an Office 365 customer to select custom colors, text and Imagery for their Office 365 sign-in page. Self Service Password Reset allows a user who has forgotten their password to reset it based on prearranged alternative personal information. These two features were previously available with the Azure AD Premium subscription and are now being made available to all Office 365 subscribers.

Thus, both branding and the user self service password reset ability will becoming available to all Office 365 subscribers.

So, this is how you enable it at the moment, with the requirement of an Azure Active Directory Premium subscription (which you can get on a 90 day trial). In the very near future this will no longer be required and be available in the Office 365 Azure AD Free account.

image

The first step in the process of enabling the user self service password reset feature is to login to your Office 365 Azure AD Free account, which I have detailed previously about enabling.

You will typically only see the Active Directory option on the menu on the left. When you select this you will then see your Office 365 AD to the right. If you select your Office 365 directory you will drill down into more information for that directory.

image

One of the options across the top now is Configure. Select this.

image

If you scroll through all the options on the page you will find no mention of user self service password resets. This is because you need to firstly enable an Azure AD Premium subscription (or trial) to enable this feature. As I mentioned previously, soon you will not need to do this as it will be included in the standard Azure free AD offering.

image

To at least see what user self service password resets are all about you can enable a 90 day Azure AD Premium subscription by now selecting Licenses from the menu across the top.

Then select the link to Try Azure Active Directory Premium Now.

image

Select the check button in the lower right hand of the window that appears once you have read its contents.

image

You will then need to wait a few minutes while the Azure AD Premium subscription is configured.

image

In a few moments you should see that the subscription is enabled as shown above. Select this to configure.

image

To enable the Azure AD Premium features for users you will need to select a user from the list of Office 365 users displayed and then select the Assign button at the bottom of the screen.

You will also need to assign a license for an Office 365 global administrator to configure the service. In this case, it has been enabled for the same admin user who is logged into the Azure portal currently.

image

When you assign a user an Azure AD Premium license you will see the above status message at the bottom of the screen indicating successful completion of the license assignment.

image

If you now return to the Configure tab you should find a new section devoted to user password reset policy as shown above.

image

If you now select the green Customize Branding button you will be taken to the above screen where you can upload a number of different graphics to be displayed in the portal as well as desired messaging as shown above.

image

Scroll down and ensure User enabled for password reset is set to YES.

You can also configure the number of authentication methods. In this case I also added Security Questions.

You can choose how many authentication methods are required for password to be reset and since I have selected to use Security Questions, I can also determine how many questions will be required for the user to create.

image

The next option allows you to set how many Security Questions are required to be answered from those set.

Next, you enter the questions you wish the user to create answers for.

You can then Require users to register when signing into the Access Panel. This means when the users sign into the Azure Single Sign On portal available via Office 365 they will be prompted to set up the required password reset information. Normally you want this set to YES.

The Azure Single Sign On portal is a free component of the Azure AD Free plan that is available to all Office 365 tenants. I covered how to set that up in a previous post. Your users access this single sign on portal via:

http://myapps.microsoft.com

image

If you scroll down you can modify the language used when sending emails as well as whom to notify when passwords are reset.

image

Once you have completed your configuration press the Save button at the bottom of the screen. You should see the status bar at the bottom indicating that your changes are being updated.

image

Now when a user navigates to the Office 365 portal login page, as soon as they type their login details the branding will be applied to the portal as shown above.

image

Now let’s say the user now attempts to reset their password by selecting the Can’t access your account? link. They will be taken to a page shown above where they will be prompted to enter some CAPTCHA information.

image

Once they have done this they will be presented with the above screen telling them that their account could not be verified and they should contact an administrator (link provided, configurable from Azure).

Why is that? The reason is that the user hasn’t logged into the Azure single sign on portal and set up their security options for doing password resets yet.

image

Thus, once you have enabled user password self service you need to send all your users to the Azure single sign in portal at:

http://myapps.microsoft.com

Once they have logged in with their Office 365 credentials they will be prompted to verify their contact information as shown above. This requirement, again, is an option set in the Azure portal during configuration previously mentioned.

image

Depending on the security requirements you have configured the user will need to complete each option via the process found by clicking on each of the links for that option.

Once all of these are complete ensure the Save button is select at the bottom of the page.

image

So if a user now selects the link Can’t access your account? on the Office 365 portal login page and completes the CAPTCHA they will now be taken to the above screen which will ask then which security method they wish to use to verify their identity.

Simply select the method from the list available and complete the requirements.

image

in this case the method selected is via an alternate email address. That sends a one time code to that email address which then needs to be entered at this challenge.

image

Once the identity of the user has been verified, they are then given the option to reset their password as shown above.

image

When that has been completed they can now login to the Office 365 portal (or the Azure single Sign in portal) with these details.

Again, note the branding that was also configured in this process.

Once user self service password resets are configured they should make the life of an Office 365 administrator much easier. To do this at the moment requires an Azure AD Premium subscription but as I mentioned in the beginning this will be changing so it is available for all Office 365 accounts for free very soon. So try it today with this method and get ready for when it is available everywhere.