Hi everyone again. In this blog I want to show you how easily you can configure self-service reset password with Microsoft Endpoint Manager. We will make SSRP portal link available from the login screen and users with cloud credentials can request password reset by themselves anytime they need without helpdesk involvement.
First, in Azure AD we need to specify a group of users that can use this feature. We can granularly control access to this feature or we can allow it to everyone. So, the very first step in to go to MEM console, then go to Users – Password reset. Click Selected, then click on No groups selected and choose Azure AD security user group:
Click Select and Save:
The second step is optional, but highly recommended – password writeback.
This option allows Azure Active Directory to write changed password to on-premise Active Directory. In case of synchronized accounts from AD to Azure AD it just a must have option. It means any time when user with synchronized account logs into Azure AD or on-premise AD will use the only one password.
To configure password writeback we need to run Azure AD Connect that we configured at the beginning:
Click Configure, then choose Customize synchronization options:
And click Next. On the next page of the wizard provide Azure AD global administrator credentials and click Next:
Skip Connect Directories and Domain/OU Filtering pages by clicking Next. On the Optional Features page choose Password writeback setting and click Next:
At the end of the wizard confirm you want to enable password writeback by clicking Configure:
After configuration completed click Exit:
We successfully configured password reset and password writeback, and now user can reset his password from password reset portal. Next step is to enable SSPR link on the login screen. Go to MEM console – Devices – Configuration profiles and click Create profile:
Platform – Windows 10 and later
Profile type – Settings catalog (preview)
And click Create. Give a name to your configuration profile and click Next:
On the Configuration settings page click +Add settings:
Then search for a password reset setting:
After successful search double click on Authentication, choose Allow Aad Password Reset setting and click Select all these settings:
On the left side of the page enable this option and click Next:
On the Assignments page click Add groups and choose a proper group of Azure AD users, click Select and then Next:
Then finish the wizard. After applying the policy on the device, you see new Reset password option on the login screen:
If you forgot or want to change your password click on Reset password link:
Then click Next. On Get back into your account page you need to choose the contact method you prefer:
Number of methods depends of how much information I have for this account in Azure AD. In my case I choose SMS with security code:
Click Next. Type a verification code you received and click Next:
Create your new password:
For further information, please click HERE to contact our support team.