Azure Active Directory Self-Service Password Reset

In organizations, it happens that employees forget their passwords and the organizations are worried about their data. So, today we are going to study the solution to this issue. Thus, we will learn about Azure Self-Service Password Reset which is one of the most loved solutions of organizations. Let us begin.

What is Self-Service Password Reset (SSPR)?

With the advancement of technology and the rise in identity theft and data breaches, service desk costs are rising, and CISO demands are increasing. Over time, self-service password reset solutions have evolved to aid the service desk and, ultimately, the organization in terms of security and productivity.

What is Azure Active Directory (AD) Self-Service Password Reset

Self-service password reset in Active Directory is the process and technology that allows a user who has forgotten their password or is locked out of their account to securely authenticate with an alternative factor and resolve their issue by resetting their password or unlocking their account without relying on the service desk.

Because Microsoft Active Directory has the market cornered on user directories, self-service password reset solutions rely on Active Directory by default, giving employees the ability to manage their passwords on this system.

The self-service password reset portal is launched by a user via a web browser or workstation login prompt. They must then prove their identity using another method, such as a set of challenge-response questions, in addition to their forgotten or disabled password.

Finally, if everything goes according to plan, they can change their password, unlock their account, or do anything else the portal allows, such as altering their Active Directory user-specific information.

How Does Self-Service Password Reset Work?

A workflow is started when a user hits the self-service password reset portal:

• Verifying User
• Authenticating User
• Resetting Password
• Notify User

1. Verifying User

The first step is verification, which requires the end-user to enter their primary system’s username, which is usually Active Directory, as well as the password that is being changed.

2. Authenticating User

If the user is successful, the following step is for them to authenticate themselves as the account and hence the password’s owner.
This necessitates the configuration of an authentication flow, which can be a multi-step authentication flow, a more secure multi-factor authentication procedure, or a combination of the two.

Some solutions provide multiple authentication flows to choose from, while others only provide one.

3. Resetting Password

If authentication is successful, the user is now able to create a new password that is compliant with the security policy. This can be either the Active Directory root password policy or a fine-grained password policy if the self-service password reset solution supports it.

The Active Directory password policy can be changed in some implementations to provide more stringent/ customizable password regulations. Instead of being applied to Active Directory as a whole, these are applied locally to the password self-service application. If the new password is successful and password synchronization is enabled, it is disseminated to all linked systems.

4. Changing Notification

The end-user is advised of the change after the full password self-service procedure is completed; this can be considered a vital last security measure in the process. The user can notify an administrator if the alterations were made by a trustworthy hacker.

Prerequisites

• A functional Azure AD tenancy with at least a free or trial Azure AD license enabled. SSPR only works for cloud users in Azure AD on the Free tier. The Free tier allows you to change your password, but not reset it.
• For on-premises password writeback in following tutorials in this series, you’ll need an Azure AD Premium P1 or trial license.
• Create a free Azure account.
• A user with Global Administrator permissions.
• Test user is a non-administrator user with a password you know. In this lesson, you’ll utilize this account to test the end-user SSPR experience.
• Add new users to Azure Active Directory if you need to create a user.
• A group to which the non-administrator user belongs, such as SSPR-Test-Group. In this lesson, you’ll enable SSPR for this group.
• If you need to build a group, see Azure Active Directory: Create a basic group and add members.

Enabling self-service password reset in Azure

You can enable SSPR for None, Selected, or All users in Azure AD. You can select a subset of users to evaluate the SSPR registration process and workflow with these granular capabilities.

Alos, You can pick a group of people to enable for SSPR after you’re comfortable with the process and the moment is ripe to discuss the requirements with a larger number of users.

Alternatively, you can enable SSPR for the entire Azure AD tenant.

Use an account with global administrator credentials to access the Azure portal. Select Password reset from the left-hand menu after searching for and selecting Azure Active Directory. Choose Selected under the option Self-service password reset enabled on the Properties page.

If your Azure AD group, such as SSPR-Test-Group, isn’t shown, select No groups selected, then browse for and select your Azure AD group, such as SSPR-Test-Group, and then select.

Select Save to activate SSPR for the selected users.

Choose your authentication and registration methods.

Users are requested for additional confirmation methods when they need to unlock their account or reset their password. This additional authentication element ensures that Azure AD only processes SSPR events that have been allowed.

Based on the registration information provided by the user, you can pick which authentication methods to enable.

1. Set the Number of methods required to reset to 2 from the menu on the left side of the Authentication methods page. You can increase the number of authentication methods required for SSPR to boost security.

2. Select the Methods that your company wants to make available to users. Check the boxes to enable the following methods in this tutorial:

• Notifications for mobile apps
• App code for mobile
• Email Phone number

Other authentication methods, such as Office phone or Security questions, can be enabled as needed to meet your business needs.

3. Select Save to apply the authentication methods.

Users must register their contact information before they can unlock their account or reset their password. This contact information is used by Azure AD for the various authentication methods set up in the previous phases.

This information can be manually entered by an administrator, or users can go to a registration portal and enter it themselves.

• Select Yes for Require users to register when signing in from the menu on the left side of the Registration page.
• Set to 180 the number of days before users are requested to validate their authentication details.

It’s critical to keep your contact information current. If an SSPR event starts with outdated contact information, the user may be unable to unlock their account or reset their password.

• Select Save to apply the registration settings.

Setting up notifications and customizations in Azure

You can configure Azure AD to send email notifications when an SSPR event occurs to keep users informed about account activities. These notifications can be sent to both regular and admin accounts.

When a privileged administrator account password is reset via SSPR, this notice adds additional degree of awareness for admin accounts. When someone uses SSPR on an admin account, Azure AD will inform all global admins.

Set up the following choices from the menu on the left side of the Notifications page:

• Set the option Notify users on password resets? to Yes.
• Set Yes to Notify all admins when other admins change their password.

Select Save to save your notification preferences.

You can tweak the “Contact your administrator” link if users require additional assistance with the SSPR procedure. This link is available during the SSPR registration procedure as well as when the user unlocks or changes their password.

We recommend providing a personalized helpdesk email or URL to ensure your users receive the assistance they require.

• Set Customize helpdesk link to Yes from the menu on the left side of the Customization page.
• Provide an email address or web page URL where your users can receive extra help from your organization in the Custom helpdesk email or URL area.
• Select Save to apply the custom link.

Testing self-service password reset in Azure

Test the SSPR process with a user that is a member of the group you specified in the previous step, such as Test-SSPR-Group.

The test user account is used in the following example. Create a user account for yourself.

Open a new browser window in InPrivate or Incognito mode and go to https://aka.ms/ssprsetup to witness the manual registration process.

When users login in the next time, Azure AD will direct them to this registration gateway.

• Register your authentication methods’ contact information using a non-administrator test user, such as testuser.
• When you’re done, click the Looks good button and dismiss the browser window.
• Go to https://aka.ms/sspr in a new browser window in InPrivate or incognito mode.
• To reset your password, follow the required steps. When you’re done, you’ll get an email saying your password has been reset.
• Select Next after entering your non-administrator test users’ account details, such as testuser and the CAPTCHA characters.

SSPR Portal Registration

A user must have data in the authentication methods that have been enabled before they can self-service password reset. This is necessary for any self-service product to function because it is the only way to ensure that the user requesting a password reset or account unlock is the correct user. Any response is compared to the user’s profile and saved data.

For example, in the case of multi-factor authentication, the self-service product will have the end-hardware user’s device data stored and will send a one-time token to this registered device.

Password Change Notification

Notifications can also be extended to provide an alert when a user’s password is about to expire, allowing the user to self-service and change their password rather than having it reset. This adds a layer of security by encouraging users to change their passwords across all of their main and/or linked accounts regularly.

SSPR Interfaces

From a web browser, mobile device, or desktop login prompt, the password self-service process can be launched in a variety of ways.

1. SSPR Web Browser

Domain users can utilize a web browser to safely reset their Active Directory passwords, whether on their desktop computer or at a single kiosk computer. The advantage is that a web browser may be accessible from anywhere; nevertheless, this may not be appropriate in all situations.

2. SSPR Workstation Login Prompt

To improve adaptability self-service Before a user has logged in, password reset software can self-service from a workstation’s login prompt (Windows and Mac are the most typically supported).

This does necessitate a component that integrates with the workstation operating system; for Windows OS, it interfaces with the credentials provider chain, allowing self-service password reset and account unlock choices to be displayed at the login prompt.

To provide self-service options to OSX, the plugin must interface with the OSX login chain.

3. SSPR Mobile App

Employees working away from the office are widespread, and if they are locked out of their workstation, they need a way to change their password or unlock their account without having to leave their desk; a mobile app enables this ease.

The user can manage their password and account using an Android or iPhone app without having to call the support desk or physically being at the office.

Self-Service Password Reset Features

The operational costs of password management are increasing, including service desk fees for people who forget their passwords and productivity losses due to too-many-attempts lockouts and other concerns.

Self-service password reset aids in the enforcement of strong credential policies, reducing the risk of breaches due to poor password practices while also enhancing productivity and reducing service desk load.

These advantages are typically achieved by a combination of features in self-service password resets.

1. Self-Service Password Reset: Allowing end-users to unlock their locked Active Directory accounts without requiring assistance from the service desk.

2. Account Unlocking using Self-Service: Providing end-users with the ability to self-service unlock their locked Active Directory accounts without requiring assistance from the service desk.

3. Notifications for Passwords: Prevent password resets by reminding users to update their passwords regularly.

4. Password Change in Self-Service: Because the change is controlled by the user, the password history is preserved. This contrasts with a password reset, which is admin-controlled (because the user can’t remember their password or it’s protected), and password history isn’t respected in some products.

5. Workstation Login Prompt Integration: Workstation Login Prompt integration for self-service password reset and self-service account unlock.

6. Mobile App Support: Using a mobile app, you can reset your password and unlock your account.

Change/reset passwords across various user directories, such as Azure AD and Google.

7. Methods of Secure Authentication: Before attempting a self-service password reset or unlock operation, a user must be validated using a variety of authentication mechanisms.

Users can access and change their information in Active Directory, such as their contact information, using AD Attribute Update. Most systems provide you with some control over this, allowing you to hide some attributes and mark others as read-only.

If you want better security and productivity, self-service password reset tools can help. Here are some of the capabilities that LogonBox has to offer; a more thorough list can be found here.

8. Stronger Authentication with MFA: They now accept MFA such as Yubikey, Duo Authentication, and Google Auth, in addition to conventional authentication.

9. Synchronization with a Larger Number of Systems: To provide broader support for self-service password reset and account unlock features, passwords can be synced across Linux, AS400, and LDAP.

10. Automation: Performing other actions based on a user’s interaction with the self-service password reset portal, such as sending service desk agents an email after a password reset, locking an account when a user fails authentication three times, executing javascript after an event, or interacting with a different system entirely.

11. User and Group Management in Active Directory: Delegate service desk access to Active Directory administration and interaction, from adding new users to modifying AD groups, all via a single interface.

12. Management of the User Lifecycle: Allow users to enroll in Active Directory by filling out an enrolment form, assigning them to the appropriate group when they depart, and deactivating their account so they can no longer log in.

13. Single Sign-On: Secure web apps behind an SSPR gateway so users can securely log in to allocated web apps with a single click; no passwords are ever shared or kept, reducing the risk of users accessing web apps outside of the organization.

14. Management of Passwords: Through role-based access management, the LogonBox password manager provides a secure way to store credentials and allocate them to the appropriate people. This reduces the need for users to write down credentials regularly, and it allows them to be altered and controlled from a central location.

Deployment

The software can be implemented in a variety of methods, from on-premise to cloud, and self-service password reset can benefit from each of them.

A. On-premise Deployment

This refers to the customer’s onsite server, where the product is supposed to be installed. The customer retains complete control and ownership of the infrastructure, resources, and software.

Because self-service password reset is a web application, it requires a webserver to run.

Some installations make use of Microsoft IIS, while others build their own web server from the ground up.

In this regard, LogonBox is unique in that its on-premise deployment is a virtual computer.

There are no prerequisites because all components are stored in a virtual image and extracted into the virtual server (such as ESXi, Hyper-V) at the time of execution.

On-premise installations benefit from whatever the underlying system provides; in the case of LogonBox, the solution benefits from the underlying hypervisor’s rollback and resource management capabilities.

B. Cloud Deployment

Because cloud computing allows consumers to access the same kinds of programmes over the internet, the use of cloud-based or Software as a Service (SaaS) applications has skyrocketed.

According to a Goldman Sachs poll, 70% of SMBs always evaluate a SaaS option and 58 percent prefer one if one is offered.

Cloud implementations, such as the LogonBox cloud, communicate with an on-premises Active Directory via a secure SSH agent; everything else is handled in the cloud.

Self-service password reset in the cloud eliminates the need for installation, decreases the time to go live, and eliminates any hardware and software maintenance and management.

For MSPs focused on sales, this can be a significant benefit.

Reconfirm Authentication Information in Azure

You can require users to confirm their registered information after a particular amount of time to ensure that authentication methods are correct when they need to reset or update their password.

If you enable the Require users to register when signing in option, this option becomes available.

From 0 to 730 days are valid values for prompting a user to validate their registered methods.

If this value is set to 0, users will never be asked to validate their login credentials.

Users will be prompted to validate their identification before reconfirming their details while using the integrated registration experience.

Authentication Methods in Azure

A user must register at least one authentication method when they enable SSPR. We strongly advise you to utilize two or more authentication methods so that your users have more options in case one method is unavailable when they need it.

For SSPR, the following authentication mechanisms are available:

• Mobile app notification
• Mobile app code
• Email
• Mobile phone
• Office phone (It is only available for tenants with paid subscriptions)
• Security questions

Only users who have registered an authentication method that the administrator has enabled can reset their password.

Notifications

SSPR allows you to customize notifications for both users and identity administrators to improve password event awareness.

Notifying users on password resets in Azure

Users who reset their password will receive an email telling them that their password has been changed if this option is set to Yes.

The email is delivered to their primary and alternate email accounts in Azure AD using the SSPR interface. The reset event is not broadcast to anyone else.

Notifying all admins when other admins reset their passwords in Azure

If this option is enabled, all other Azure administrators will receive an email to their Azure AD primary email address. The email informs them that their password has been changed using SSPR by another administrator.

Consider the following hypothetical situation:

• In a given setting, there are four administrators.
• SSPR is used by Administrator A to reset their password.
• The password reset is notified to Administrators B, C, and D by email.

On-premises Integration

You can set up Azure AD Connect to write password change events from Azure AD to an on-premises directory if you have a hybrid environment.

Azure Active Directory examines your present hybrid connectivity and displays one of the following messages in the Azure portal:

• Your local writeback client is now operational.
• Azure Active Directory is up and running, and it’s linked to your on-premises writeback client. The installed version of Azure AD Connect, however, appears to be out-of-date.
• Consider upgrading Azure AD Connect to get the most recent connection capabilities and critical bug fixes.
• We’re unable to check the status of your on-premises writeback client because the Azure AD Connect version installed is out-of-date.
• Upgrade Azure AD Connect to verify the condition of your connection.
• Unfortunately, it appears that we are currently unable to connect to your on-premises writeback client. To re-establish the connection, troubleshoot Azure AD Connect.
• Unfortunately, we are unable to connect to your on-premises writeback client due to improper password writeback configuration. To recover the connection, configure password writeback.
• Unfortunately, it appears that we are currently unable to connect to your on-premises writeback client.
• This could be due to a glitch on our end. Troubleshoot Azure AD Connect to re-establish the connection if the issue persists.

Writing back passwords to your on-premises directory

The Azure portal can be used to enable password writeback. Without needing to modify Azure AD Connect, you may easily temporarily block password writeback.

Writeback is enabled if the option is set to Yes. Users with federated authentication, pass-through authentication, or password hash synchronization can reset their passwords.

Writeback is disallowed if the option is set to No. Users with federated, pass-through authentication or password hash synchronization cannot change their passwords.

Permitting users to unlock accounts without resetting their password

When doing a password reset, Azure AD unlocks accounts by default. You can choose to allow users to unlock their on-premises accounts without having to reset their passwords to provide flexibility. Separate the two operations using this setting.

If yes is selected, users will be given the option of either resetting their password and unlocking their account, or unlocking their account without resetting their password.

If No is selected, users will only be allowed to reset their passwords and unlock their accounts.

On-premises Active Directory password filters in Azure

In Active Directory, SSPR accomplishes the equivalent of an admin-initiated password reset.

If you utilise a third-party password filter to enforce custom password restrictions and want this password filter to be checked during Azure AD self-service password reset, make sure the third-party password filter solution is set to apply in the admin password reset scenario.

Password security for Active Directory Domain Services is enabled by default in Azure AD.

Password Reset for B2B users in Azure

On all business-to-business (B2B) settings, password reset and change are completely supported. The following three scenarios are supported for B2B user password reset:

1. Users from a partner company who already have an Azure Active Directory tenancy

If the organisation with whom you’re collaborating already has an Azure AD tenancy, we’ll follow the password reset procedures set up in that tenant.

The partner organisation just has to ensure that Azure AD SSPR is enabled for password reset to work. Customers who use Microsoft 365 do not have to pay anything extra.

2. Users who register via the self-service option

If your partner utilised the self-service sign-up feature to gain access to a tenant, we let them reset the password using the email address they registered with.

3. B2B clients

Any new B2B users created with the new Azure AD B2B features can reset their passwords using the email address they provided during the invite process.

Benefits of Password Self-Service Password Reset

Business and end-users gain from password self-service in a variety of ways, including financial, productivity, and security benefits.

1. Financial Benefits

According to a Widmeyer poll, employees waste an average of $420 each year battling passwords, and with 37% of the 1000 persons surveyed resetting their password more than 50 times per year, the productivity losses can be astonishing.

According to a recent Ponemon Institute poll of over 15000 IT professionals, manual password management procedures cost companies an average of $450 million each organization.

When you consider the cost of the support and service desk personnel necessary, the savings from removing passwords may begin to justify a move more quickly.

2. Productivity Benefits

Users are empowered to use self-service, allowing them to manage their passwords/accounts with immediate results and confirmation of success.

Instead of an employee who is locked out of their system waiting for an agent to unlock or reset their account, users are empowered to use self-service, which allows them to manage their passwords/accounts with immediate results and confirmation of success.

Self-service password reset is mostly used in the business world’s initial foray into automation. Unlike traditional techniques, password self-service eliminates the need for a helpdesk ticket or a phone call to the service desk, reducing the end user’s wait time to a few mouse clicks – introducing them to an automatic and immediate password self-service function.

According to a recent Ponemon Institute poll of over 15000 IT professionals, manual password management procedures cost companies an average of $450 million each organization.

When you consider the cost of the support and service desk personnel necessary, the savings from removing passwords may begin to justify a move more quickly.

3. Security Benefits

Furthermore, self-service password reset solutions provide customers with ways to keep their information secure, such as multi-factor authentication, security questions, and confirmation emails, all of which help consumers feel in control and secure.

Multi-factor authentication also offers a layer of identity verification that a single password does not provide.

Before a user may use a password self-service portal, multi-factor authentication checks that the user is the true owner of the password, which is impossible to perform with just passwords or other authentication methods.

Self-service password reset eliminates a major flaw in many service desks by ensuring that password issues are only fixed after appropriate user verification, decreasing the risk of social engineering attempts and identity theft.

4. Password Reset Synchronization

Most self-service password reset solutions include password synchronization, which allows users to manage passwords across numerous platforms while adhering to a single security policy.

It’s a good way to deal with password management concerns because it means users have to remember fewer passwords and can keep other systems like Google, Azure AD, Linux, and LDAP secure by keeping their passwords updated regularly.

Password synchronization significantly minimizes the frequency of password-related support requests, which are the most common use of service desk resources.

Password synchronization can occur either transparently, when native Active Directory password changes are automatically propagated to other connected user directories like Azure AD, Google, and OpenLDAP, or manually, where the user selects which passwords to reset or modify.

Companies rely on an external product called AD Connect, which allows any password changes made on an on-premise local Active Directory to be synchronized to Azure AD after a password self-service reset occurs, since the introduction of Azure AD, Microsoft’s simplified cloud version of Active Directory. This procedure is sped up and expanded using self-service password reset options like LogonBox.

Without any additional components like AD Azure Connect, password synchronization between a core on-premise AD and Azure AD is synchronized as the password is reset or modified by the user.

Because it supports many additional systems/user directories, it also allows passwords to be synchronized to more than just Azure AD.

Why should you use the self-service (SSPR) password reset tool from ADSelfService Plus?

1. Improved ROI

After using ADSelfService Plus, you’ll see a significant reduction in password-related problems and help desk expenditures.

2. Enhanced User Experience

Users should be able to manage their own passwords and profile information. This will enhance their value in the organization while easing the burden on the help desk crew.

3. Flexibility and Security

Allow users to change their passwords and unlock their accounts at any time and from any location. You can also build policies for different sorts of individuals in the company based on their function and level of access to sensitive data.

4. Simplified Auditing and Tracking

Several detailed reports provide administrators with a holistic view of their users’ password status. ADSelfService Plus enables data collection for legal auditing simply, in addition to simplifying management.

Conclusion

The end-user, the service desk, and the company’s bottom line all gain from self-service password reset. When implemented correctly, technology can provide more security protection than manual operations.

Password self-service programmes have come a long way, with more capabilities than ever before, including identity management, single sign-on, password management, and documentation management, all of which provide even more benefits and efficiencies.