This week is about something similar as last week. This week is all about the password reset option on the login screen. In other words, the Reset password option. Starting with Windows 10, version 1709, it’s possible to enable the Reset password option from the login screen for Azure AD joined devices. I know that a lot has been written already about this subject, but I have the feeling that this subject needs a place on my blog. My style and more details. In this post I’ll provide a short introduction about Azure AD self-service password reset (SSPR), followed by walking through the required configurations for SSPR and the Reset password option. I’ll end this post by looking at the end-user experience.
Introduction
Now let’s start this post with an introduction about Azure AD SSPR. With SSPR users can reset their passwords on their own when and where they need to. At the same time, administrators can control how a user’s password gets reset. That means that the user no longer needs to call a help desk just to reset their password. SSPR includes (the focus of this post is number 2):
- Self-service password change: The user knows their password but wants to change it to something new;
- Self-service password reset: The user is unable to sign in and wants to reset their password by using one or more of the following validated authentication methods:
- Send a text message to a validated mobile phone;
- Make a phone call to a validated mobile or office phone;
- Send an email to a validated secondary email account;
- Answer their security questions.
- Self-service account unlock: The user is unable to sign in with their password and has been locked out. The user wants to unlock their account without administrator intervention by using their authentication methods.
Configuration
Let’s continue by having a look at the required configuration, to enable the Reset password option from the login screen. As the configuration of the actual settings requires SSPR to be enabled, I divided the configuration into two steps. The first step is to enable SSPR and the second step is to configure the Reset password option.
Step 1a: Enable SSPR
The first step is to enable SSPR, as it’s the starting point for enabling the Reset password option from the login screen. Without SSPR enabled, and still configuring the Reset password option, the user will receive a message that SSPR is not enabled for the user and that the user should contact the administrator. The following seven steps walk through the relatively simple configuration to enable SSPR.
| 1 | Open the Azure portal and navigate to Azure Active Directory > Password reset; |
| 2 |
|
| 3 |
Note: Make sure that you have at least as many methods available to users as you have required to reset. |
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
Note: This is required when using an on-premises directory and also requires the configuration of step 1b. |
Step 1b: (Optional) Configure password writeback
Another part of the first step is the optional configuration of password writeback. This should be configured to write the passwords from Azure AD back to the on-premises directory. To achieve this, use the following seven steps to reconfigure Azure AD Connect.
| 1 | On the Azure AD Connect server, start Azure AD Connect to open the Microsoft Azure Active Directory Connect wizard; |
| 2 | On the Welcome page, click Configure; |
| 3 | On the Additional tasks page, select Customize synchronization options and click Next; |
| 4 | On the Connect to Azure AD page, provide the required credentials and click Next; |
| 5 | On the Connect Directories page, click Next; |
| 6 | On the Domain/OU Filtering page, click Next; |
| 7 |
Note: I’ve also got Device writeback configured, which causes the next page to appear. |
| 8 | (Optional) On the Writeback page, click Next; |
| 9 | On the Configure page, click Configure and once completed click Exit; |
Step 2: Enable Reset password option
The second step is to configure the required setting to enable the Reset password option from the login screen. In other words, the second step is to configure a device configuration profile with at least a custom OMA-URI setting. The required setting is part of the Authentication node of the Policy CSP. It’s the AllowAadPasswordReset policy. That policy allows administrators to enable the self-service password reset feature on the windows logon screen. An integer value of 0 means not enabled and an integer value of 1 means enabled.
The following three steps walk through the creation of a new device configuration profile, including the required OMA-URI setting. After that simply assign the created profile to a user group.
| 1 | Open the Azure portal and navigate to Intune > Device configuration > Profiles; |
| 2 | On the Devices configuration – Profiles blade, click Create profile to open the Create profile blade; |
| 3a |
On the Create profile blade, provide the following information and click Create;
|
| 3b |
|
Note: For testing purposes it’s also possible to configure the Reset password option by using the HKLM\SOFTWARE\Policies\Microsoft\AzureADAccount registry key with the value, type and data of AllowPasswordReset, REG_DWORD and 1.
End-user experience
Now let’s end this post by walking through the end-user experience. On the login screen a new option is available when selecting password as the sign-in option, the Reset password option.
When the user selects Reset password, the user will be redirected to the Azure AD self-service password reset service.
The User ID is already prepopulated and when the user clicks on Next, the user should choose a verification method. In my case a text to my mobile phone.
When the user provides the correct mobile phone number and clicks on Next, the user must provide the actual verification code of the text message.
When the user provides the correct verification code and clicks on Next, the user must provide a new password.
When the user provides a new password and clicks Next, the user will be provided with the message that the password has been reset. When the user than clicks on Finish, the user will be redirected to the login screen.
More information
For more information about SSPR, Windows 10 and the Reset password option, please refer to the following articles:
- How to successfully roll out self-service password reset: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-best-practices
- Azure AD password reset from the login screen: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-login
- Policy CSP – Authentication: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-authentication
Hi! Is there a way to redirect to a custom Password Reset Portal? My organization does not use AAD for password reset, but we have Azure AD Premium. We want to redirect to a custom URL though… thanks! JJ
Dont forget if you used Custom AD Connect installation with a service account, you need to set permissions for this account. Change Password,Reset Password,Write Lockout,Write PwdLastSet
Hi Peter
Nice blog post, as usual from you!
We have some issue regarding this function. Our customer has the following update scenario from 1511 to 1607 and further to 1703. This ‘reset password’ option is not even appear on the login screen!
MSFT support answer: “We have been continuously working and researching with our TA’s on this issue but as we currently are not able to replicate the issue at our end we are unable to provide a definite resolution.
We have involved the Directory services team in this regard for which you might receive calls from various tech engineers.”
Did you already have this symptom? What would you recommend us?
Thanks for your kindly answer & greetings from Switzerland, Ákos
Hi Jose,
At this moment this is AAD SSPR only.
Regards, Peter
That is correct, Rkast!
Hi Akos,
The latest version you mentioned is 1703. This functionality requires an Azure AD joined Windows 10, version 1709, or later, device.
Regards, Peter
I see you have OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Authentication/AllowAadPasswordReset
On blog post below Per does not append ./Device/
Can you elaborate the difference please ?
on https://osddeployment.dk/2017/11/02/how-to-enable-password-reset-from-windows-10-login-screen/
Hi RKast,
It’s the same. For device wide configuration the Device/ portion may be omitted from the path, see also: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider
Regards, Peter
Sir Peter, thanks but what is the meaning of ‘device wide’ in this case? With /device we assign to device group is this different when leaving out the /device ? i simply dont understand.
Hi RKast,
There is no difference. Both configurations trigger the device configuration.
Regards, Peter
Nice Blog Peter!
Is this functionality supported with Hybrid AzureAD joined devices?
Hi Steve,
Not at this moment. At this moment it’s Azure AD joined only.
Regards, Peter
Hi Peter,
On the Official Microsoft doc about this, it’s explicitely mentioned that Hybrid AD Azure joined devices are supported.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-sspr-windows
In my environment, it’s not working with a 1803 W10 device. Why does Microsoft tell that while it’s not possible ?
Hi Gerem,
Correct. Starting with Windows 10, version 1803, it should be supported for hybrid Azure AD joined devices. Haven’t tested that myself yet. What problems are you running into? And what does your setup look like?
Regards, Peter
IS it possible to redirect to our own SSPR tool instead of Azure SSPR
Hi Jijo,
Not via this configuration.
Regards, Peter
Hi Peter,
Is it necessary to configure the AD permissions noted in this article as part of the seven steps for password writeback? https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-writeback
Hi Mitch,
Yes! The account specified in Azure AD Connect should have the correct permissions to write that information.
Regards, Peter
Hi Peter,
Thanks for the article :
I have question, how do enforce password change on device enrollment for a new user who has never reset his password ?
1. We have new users who would be issued new laptops (MS AutoPilot) and these users enroll into these Laptop with their Azure AD accounts.
2. In this process, device would be joined to Azure AD, followed by Intune enrolment.
3. The plan is to create these users in on-premise AD and sync them to Azure AD.
4. The expectation now is to enforce password change, since this is users first login.
In General, How do we force password change for new/first time user who is using Azure services like Office365 webportal or Intune who gets authenticated on Azure AD ?? And if these AAD accounts are synced from on-prem AD ?
What I’ve heard so far is , selecting “change password at next logon” on On-prem AD, and then sync those accounts up to Azure AD using AD Connect is not a possibility ? As the sync would fail because these are temp passwords.
For synced AAD users is there a way for users to be prompted to change their password on the O365 web portal and then write those changes back to the on-premise AD ?
Hi Rajesh,
Completely depends on the configuration. For example, you shouldn’t have an issue when using pass-through authentication.
Regards, Peter
Hello, I ran into the following issue in a LAB, if you have and advise/suggestions please let me know, thanks
I have up Azure SSPR from the logon screen, by setting the following registry key via a group policy preference (as I could not see a builtin GPO setting, if there is a GPO please let me know its path)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AzureADAccount
This works fine as long as the user does not reboot the computer. If the computer is rebooted the “reset password” link does not appear on the logon screen. If the user then performs a logon and logoff, then a logon again the “reset password” does appear.
So in summary it works fine unless the user reboots, as the ‘reset password’ link is always missing at the first logon following a reboot of the computer.
I should mention I am using a LAB environment (Hyper-V) when a Windows 10 VM (which in effect means I am RDP into the VM) is that the issue? as I do not have a physical computer to test with at the moment. However as stated above the ‘reset password’ link does appear following a logoff without a reboot.
Thanks
Ernest
Hi Ernest,
It sounds like you’re applying the setting as a user setting and not as a computer setting.
Regards, Peter
Hi Peter,
I noticed that the ‘8-16 characters; case sensitive; one number or symbol’ message in the create new password dialog is hard-coded by Microsoft. This can be misleading if you have an AD DS password policy that requires – for example – more than 8 characters.
Any idea if this will be fixed by Microsoft?
Thanks…
Ronald.
Regarding my previous comment: Microsoft has acknowledged the hard-coded password policy message in the SSPR dialog to be an issue and is working on a fix: ttps://feedback.azure.com/forums/169401-azure-active-directory/suggestions/36320743-ability-to-to-remove-or-customise-the-default-mess
Thank you for answering your own question, before I could, Ronald 🙂
Regards, Peter
hi Peter,
The password change in a Hybrid joined laptop scenario the user is able to change the password via above SSPR method but that does not save/cache the password on that laptop and so had to use old password to login ..
any Idea what we can do here.
Also in a Hybrid (Company on-prem domain + AAD joined) setup do we need to have different policies matching on-prem gpo in Intune ?
Hi Dheeraj,
Have a look at the mentioned limitations about the line-of-sight: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-windows#general-limitations
Regards, Peter
Hi Peter,
We are testing Hybrid Azure AD for Reset Password /SSPR functionality from the logon screen of Windows 10 (1809). We do have the reset password option visible on the logon screen, but the functionality doesn’t work.
When i try to reset the password of my account by using domain\username or UPN from the logon screen the screen changes to ‘just a moment..’ after when it locks the PC and I’m back at the logon screen. At that point I am unable to login, I have to use ‘other user’ to switch before I am able to login with my account. The computer seems locked by user ‘defaultuser1’. I have also noticed that for every attempt i make to use ‘reset password’ a user profile named ‘defaultuser1..000’, ‘…001′,’….002’ is created. Do you have any idea what could be the problem here?
Regards, Ewout
Hi Ewout,
First of all keep in that you must have line of sight to a domain controller to use the new password and update cached credentials. That being said, are you receiving any error message (in the Event Viewer)?
Regards, Peter