In this video, Pete Zerger demonstrates how to configure and use the self-service password reset feature in Azure Active Directory Premium, along with tips to optimize your organization's security and user experience.
- [Instructor] One of the most time-consuming jobs for IT department is dealing with user's passwords. A recent report suggested that support-assisted password reset typically accounts for 20% of an organization's IT budget. Because Azure AD can be integrated with your own premises active directory, the self-service password features in the cloud can be extended to your own site directory, but only with Azure AD Premium, and the password writeback feature enabled. Now, in my Azure Portal, I'll select My Active Directory and the Password rest option.
I can enable self-service password reset for all of my users or specific groups of users. This group option is nice if I want to test self-service password reset before a full production roll out. So, I'll select the All option as I'm ready to go live. And now I'll need to customize the service to meet my organization's corporate security policy. So, under Authentication methods, I can change the number and type of authentication methods required to allow self-service password reset.
If you opt to use security questions, you can offer up to 20 questions from the list predefined questions or you can create custom questions on your own. Just a tip, consider using two methods, including mobile phone, which is something you have for best security. Many orgs like the security question option, but many of the predefined questions include information that a clever threat actor, a hacker, could research. But it's fine, as long as you pair it with a strong second factor.
You can enforce user registration on their next sign in, as well as how often they're required to reconfirm their registration details to ensure that, that information remains current. If you leave require users to register at no, you'll need to send your users a link to the registration page so they can sign up for self-service reset. I've set mine to yes. I've opted for a quarterly refresh of that information, so I'll leave those at my default. I also have some notification options.
The notify users option determines whether users receive an email to their primary and alternate email addresses, notifying them when their own password has been reset via the self-service password reset portal. We can also notify Azure administrators when any one administrator resets their password, which is actually not a bad idea as an additional layer of protection. It enables the "if you see something, say something" principle, triggering peers to say, "Hey, did you reset your password?" It's defense in depth.
You can also customize the help desk contact information to include an email or a URL presented to the user, so they can request help in the event they're unable to reset their password for some reason. Now, the Azure self-service password reset services configured, and enabled for the users in our environment, and we're enforcing registration at next sign in. So, let's take a look at what our users will see when they attempt to rest their own password.
So, I'll take a look at one of my own user accounts by attempting to authenticate to the Azure Portal, and I'm immediately greeted with an additional info required screen. I'll click the Next button, which will take me through the wizard to configure my self-service password options. Now, you'll notice that in this case, we've also enabled multifactor authentication so I'm being prompted for that second factor of authentication to prove my identity.
And now, I'm in to the registration page for self-service password reset. So, I'll enter my password. And now you'll see I'm prompted to configure additional information to enable the self-password reset feature. The first is authentication phone, that strong second factor we mentioned. You'll notice I'm going to be prompted to verify now, and I'll use that Text Me option.
I've now verified my phone number, and I'll be promoted to provide an authentication email. So, an address, an alternate address that can be used in the event I forget my password and I need to reset. And as part of this registration, a code is going to be sent to my alternate address, so I can confirm that I own that address. So again, I'm establishing those two factors of authentication in the reset process, so any sort of breach is very unlikely.
I'll enter that code and verify. And there we have it. I've now verified my authentication factors and my information to enable self-service password reset. So now, let's take at the user experience when a user actually tries to reset their password. So, logged in to any Azure interface. I'm in the Azure Portal. I could be in Office 365. I need to simply click on my profile information and the Change password option.
This is going to take me to the password reset page. You'll notice here it's going to prompt me for my old password, because of course the system knows that I know that password, given that I'm already authenticated. I'll enter my new password. You'll notice the system is rating the strength of that to ensure that I have a strong password every time I reset. I'll submit, and mission accomplished. I've now reset my password without that expensive phone call to the help desk. So convenient to me, and a big ROI win for my organization.
And that's self-service password rest in Azure AD Premium.
In this course—the first in the series—Microsoft MVP Pete Zerger takes you through the basics of setting up endpoint protection. He begins by explaining how to set up Azure Active Directory Premium. Next, he goes into enabling multi-factor authentication, followed by setting conditions for secure access. To wrap up, Pete covers managing mobile devices with Intune, and publishing applications with Azure AD App Proxy.
- Setting up Azure Active Directory for an organization
- Enabling user-level and application-level multi-factor authentication
- Setting conditions for secure access
- Planning a mobile device management (MDM) strategy
- How Intune (standalone) MDM works
- How Intune mobile application management works
- Publishing applications with Azure AD App Proxy
- Assigning users and groups