Friday, September 22, 2017

Office 365 Cloud Self Service Password Resets

One thing that many may not realise with Office 365 is that you can enable users to reset their own passwords.

There are some conditions here when enabling this. If your environment does not have Azure AD Connect synchronizing users from on-premises to the cloud (i.e. what is known as ‘cloud only’ users) then you need no additions. If however, you do have a synchronized environment you will need to purchase Azure AD Premium, configure password write back and assign licenses to each user you wish to have self service password resets enabled for. This is because with an synchronized environment, the on premises domain controller is the source of all user details and from here it is hashed, encrypted and sync’ed to Office 365. Thus, if a user does change their password, using this cloud process, in a matter of moments that change is overwritten with what is on premises thanks to the synchronization configuration. However, Azure AD Premium provides two way password sync (on-prem to cloud and cloud to on prem). Thus, with Azure AD Premium in place, when a user resets their password in the cloud it gets sync’ed back to on premises. Without Azure AD Premium it doesn’t.

To enable self service password resets navigate to the Azure portal for that tenant using an Office 365 global administrator account.

image

You navigate there from the Office 365 Admin center by selecting Azure AD under the Admin centers option as shown above.

image

Locate the option Azure Active Directory from the list of options in the Azure portal on the left and select that.

image

image

From the blade that appears select Password Reset as shown above.

image

The Properties option allows you to enable password resets for selected or all users. Don’t forget to  press the Save button at the top when you have made your selection.

image

The Authentication methods allows you to determine how users will verify their identity when requesting their password to be reset.

They can be required for one or two forms of identity and there are four methods available – email, mobile phone, office phone and security questions.

In the case of security questions, you can select from 3 – 5 to be part of the registration process and 3 – 5 as being required to verify identity.

image

When you go to select security questions you are able to select a number of pre-defined or custom questions as well as mix of both as shown above.

Again, make sure that you Save your selections before continuing.

image

The Registration option allows you to force users to have to register their recovery options at next login or complete them manually.

image

The Notifications option allows you to set whether users are notified via email when their password is reset and whether all administrators are notified when any administrator resets their password.

image

The Customization option allow you to set a custom link users can refer to if they need further assistance with this process.

image

With all these options in place, and with users being forced to set their recovery options, the next time they login successfully they will see the above message prompting them to commence the recovery process.

Users should select Next to continue.

image

Users will now see the list of verification options that you set for them to complete. They need to work through all of these individually.

image

For example, with the mobile phone option, they enter their number and receive a code to verify.

image

With an email address verification they will receive a code that they need to verify.

Once the user has completed all the verification methods they will proceed to their Office 365 portal as normal.

image

When a user needs to reset their password they can select the link Can’t access your account? at the bottom of the login area.

They then be prompted to select a personal or work account. Normally, they will then select a work account to proceed.

image

To verify that the process requesting the password reset is not an automated bot, the user will need to complete a captcha as shown above.

image

They will then be taken to a screen where they can select from the methods available to verify their identity. These were set up previously by each individual user and should be unique for that user.

image

Once the user successfully completes the verification process they will be request to reset their password,

image

which when complete, will allow them to access their Office 365 account again.

The main benefit of enabling user self service password resets in Office 365 is that it allows users to manage their own passwords immediately and without having to contact an administrator to complete the reset. It is important that you ensure that you have enough verification methods for your environment and all users complete the registration process.

Again remember, that out of the box, Office 365 self service password resets work with cloud only identities. If you are using synchronized identities you will need to purchase Azure AD Premium and configure password write back to your on premises environment.