Azure AD Self Service Password Reset - chadmcox/Azure_Active_Directory GitHub Wiki
Self Service Password Reset
Validate / Enable Combined Registration
User Feature
Navigate Users / User Settings / User Features
- Users can use the combined security information registration experience: ALL
Password reset
Password Reset Properties
click here for Password Reset Properties
Password reset Authentication methods
- Number of methods required to reset: 2
- Methods available to users: Methods available to users
- Recommend: Mobile app notification
- Recommend: Mobile app code
- Recommend: Mobile phone
- Recommend: Security questions
Password reset registration
- Require users to register when signing in: Yes
- Number of days before users are asked to re-confirm their authentication information: 180
Password reset Notifications
- Notify users on password resets: Yes
- Notify all admins when other admins reset their password: Yes
Password reset customization
- Customize helpdesk link: Yes
- Custom helpdesk email or URL: provide company url to helpdesk
Password reset On-premises integration
- Write back passwords to your on-premises directory: Yes
- Allow users to unlock accounts without resetting their password: Yes
Password reset Administrator Policy
- Is self-service password reset enabled: No
EnforceCloudPasswordPolicyForPasswordSyncedUsers
EnforceCloudPasswordPolicyForPasswordSyncedUsers
- Make sure to run this to allow Azure AD Password policy to take place. Will need to make sure the password policy matches the on premise policy. This setting is to make sure users will get expired password prompts in Azure AD.
Set-MsolDirSyncFeature -Feature EnforceCloudPasswordPolicyForPasswordSyncedUsers
Once enabled, Azure AD does not go to each synchronized user to remove the DisablePasswordExpiration value from the PasswordPolicies attribute. Instead, the DisablePasswordExpiration value is removed from PasswordPolicies during the next password hash sync for each user, upon their next password change in on-premises AD.
Note: If there are synchronized accounts that need to have non-expiring passwords in Azure AD, you must explicitly add the DisablePasswordExpiration value to the PasswordPolicies attribute of the user object in Azure AD. You can do this by running the following command.
Set-AzureADUser -ObjectID <User Object ID> -PasswordPolicies "DisablePasswordExpiration"
Validate Password Policy
- In the Microsoft 365 admin center, go to the Security & privacy tab under Org Settings. (Click Here)
- If you aren't a global admin, you won't see the Security and privacy option.
- Select Password expiration policy.
- If you don't want users to have to change passwords, uncheck the box next to Set user passwords to expire after a number of days.
- Type how often passwords should expire. Choose a number of days from 14 to 730. (Make Sure it matches on premise Active Directory)
- In the second box type when users are notified that their password will expire, and then select Save. Choose a number of days from 1 to 30.
ForcePasswordChangeOnLogOn
- Need to make sure for new users the user gets prompted to change at first use in the cloud
Set-ADSyncAADCompanyFeature -ForcePasswordChangeOnLogOn $true
Forcing a user to change their password on next logon requires a password change at the same time. Azure AD Connect will not pick up the force password change flag by itself; it is supplemental to the detected password change that occurs during password hash sync.
Also, creds migrated from one domain to another using ADMT usually get flagged, I recommend stoping the aadconnect during migrations and making sure the migrated account is correct.