Working with Self-Service Password Reset (2023)

  • Article
  • 8 minutes to read

Important

In September 2022, Microsoft announced deprecation of Azure AD Multi-Factor Authentication Server. Beginning September 30, 2024, Azure AD Multi-Factor Authentication Server deployments will no longer service multifactor authentication (MFA) requests. Customers of Azure AD Multi-Factor Authentication Server should plan to move to instead use either custom MFA providers with MIM SSPR, or Azure AD SSPR instead of MIM SSPR.

For new customers who are licensed for Azure Active Directory Premium, we recommend using Azure AD self-service password reset to provide the end-user experience. Azure AD self-service password reset provides both a web-based and Windows-integrated experience for a user to reset their own password, and supports many of the same capabilities as MIM, including alternate email and Q&A gates. When deploying Azure AD self-service password reset, you can configure Azure AD Connect to write back the new passwords to AD DS, and MIM Password Change Notification Service can be used to forward the passwords to other systems, such as another vendor's directory server. Deploying MIM for password management does not require the MIM Service or the MIM self-service password reset or registration portals to be deployed. Instead, you can follow these steps:

  • First, if you need to send passwords to directories other than Azure AD and AD DS, deploy MIM Sync with connectors to Active Directory Domain Services and any additional target systems, configure MIM for password management and deploy the Password Change Notification Service.
  • Then, if you need to send passwords to directories other than Azure AD, configure Azure AD Connect for writing back the new passwords to AD DS.
  • Optionally, pre-register users.
  • Finally, roll out Azure AD self-service password reset to your end users.

For existing customers who had previously deployed Forefront Identity Manager (FIM) for self-service password reset and are licensed for Azure Active Directory Premium, we recommend planning to transition to Azure AD self-service password reset. You can transition end users to Azure AD self-service password reset without needing them to re-register, by synchronizing or setting through PowerShell a user's alternate email address or mobile phone number. After users are registered for Azure AD self-service password reset, the FIM password reset portal can be decommissioned.

For customers, which have not yet deployed Azure AD self-service password reset for their users, MIM also provides self-service password reset portals. Compared to FIM, MIM 2016 includes the following changes:

  • The MIM Self-Service Password Reset portal and Windows login screen let users unlock their accounts without changing their passwords.
  • A new authentication gate, Phone Gate, was added to MIM. This enables user authentication via telephone call via the Microsoft Azure AD Multi-Factor Authentication Service.

MIM 2016 release builds up to version 4.5.26.0 relied upon the customer to download an SDK that has been deprecated, and existing deployments should move to either using MIM SSPR with a custom MFA provider, or Azure AD self-service password reset. New deployments should use either a custom MFA provider or Azure AD self-service password reset.

Deploying MIM Self-Service Password Reset Portal using a custom provider for multi-factor authentication

The following section describes how to deploy MIM self-service password reset portal, using a provider for multi-factor authentication. These steps are only necessary for customers who are not using Azure AD self-service password reset for their users.

With MFA, users authenticate via the external provider in order to verify their identity while trying to regain access to their account and resources. Authentication can be via SMS or via telephone call. The stronger the authentication, the higher the confidence that the person trying to gain access is indeed the real user who owns the identity. Once authenticated, the user can choose a new password to replace the old one.

Prerequisites to set up self-service account unlock and password reset using MFA

This section assumes that you have downloaded and completed the deployment of the Microsoft Identity Manager 2016 MIM Sync, MIM Service and MIM Portal components, including the following components and services:

  • A Windows Server 2008 R2 or later has been set up as an Active Directory server including AD Domain Services and Domain Controller with a designated domain (a “corporate” domain)

    (Video) Deploying self-service password reset | Azure Active Directory

  • A Group Policy is defined for Account lockout

  • MIM 2016 Synchronization Service (Sync) is installed and running on a server that is domain-joined to the AD domain

  • MIM 2016 Service & Portal including the SSPR Registration Portal and the SSPR Reset Portal, are installed and running on a server (could be co-located with Sync)

  • MIM Sync is configured for AD-MIM identity synchronization, including:

    • Configuring the Active Directory Management Agent (ADMA) for connectivity to AD DS and capability to import identity data from and export it to Active Directory.

    • Configuring the MIM Management Agent (MIM MA) for connectivity to FIM Service DB and capability to import identity data from and export it to the FIM database.

    • Configuring Synchronization Rules in the MIM Portal to allow user data synchronization and facilitate sync-based activities in the MIM Service.

  • MIM 2016 Add-ins & Extensions including the SSPR Windows Login integrated client is deployed on the server or on a separate client computer.

If you are using Azure AD Multi-Factor Authentication, this scenario requires you to have MIM CALs for your users as well as subscription for Azure AD Multi-Factor Authentication.

Prepare MIM to work with MFA

Configure MIM Sync to Support Password Reset and Account Unlock Functionality. For more information, see Installing the FIM Add-ins and Extensions, Installing FIM SSPR, SSPR Authentication Gates and the SSPR Test Lab Guide

Configure the Phone gate or the One-Time Password SMS Gate

  1. Launch Internet Explorer and navigate to the MIM Portal, authenticating as the MIM administrator, then click on Workflows in the left hand navigation bar.

    Working with Self-Service Password Reset (1)

  2. Check Password Reset AuthN Workflow.

    (Video) Self Service Password Reset | Portal Configuration

    Working with Self-Service Password Reset (2)

  3. Click on the Activities tab and then scroll down to Add Activity.

  4. Select Phone Gate or One-Time Password SMS Gate click Select and then OK.

    Note

    If using another provider which generates the one-time password itself, ensure the length field configured above is the same length as that generated by the MFA provider. This length must be 6 for Azure AD Multi-Factor Authentication Server. Azure AD Multi-Factor Authentication Server also generates its own message text so the SMS text message is ignored.

Users in your organization can now register for password reset. During this process, they will enter their work phone number or mobile phone number so the system knows how to call them (or send them SMS messages).

Register users for password reset

  1. A user will launch a web browser and navigate to the MIM Password Reset Registration Portal. (Typically this portal will be configured with Windows authentication). Within the portal, they will provide their username and password again to confirm their identity.

    They need to enter the Password Registration Portal and authenticate using their username and password.

  2. In the Phone Number or Mobile Phone field, they have to enter a country code, a space, and the phone number and click Next.

    Working with Self-Service Password Reset (3)

    Working with Self-Service Password Reset (4)

How does it work for your users?

Now that everything is configured and it’s running, you might want to know what your users are going to have to go through when they reset their passwords right before a vacation and come back only to realize that they completely forgot their passwords.

(Video) How to set up self-service password reset for Microsoft 365 Business Premium

There are two ways a user can use the password reset and account unlock functionality, either from the Windows sign-in screen, or from the self-service portal.

By installing the MIM Add-ins and Extensions on a domain joined computer connected over your organizational network to the MIM Service, users can recover from a forgotten password at the desktop login experience. The following steps will walk you through the process.

Windows desktop login integrated password reset

  1. If your user enters the wrong password several times, in the sign-in screen, they will have the option to click Problems logging in? .

    Working with Self-Service Password Reset (5)

    Clicking this link will take them to the MIM Password Reset screen where they can change their password or unlock their account.

    Working with Self-Service Password Reset (6)

  2. The user will be directed to authenticate. If MFA was configured, the user will receive a phone call.

  3. In the background, what’s happening is that the MFA provider then places a phone call to the number the user gave when that user signed up for the service.

  4. When a user answers the phone, they may be asked to interact, for example, to press the pound key # on the phone. Then the user clicks Next in the portal.

    If you set up other gates as well, the user will be asked to provide more information in subsequent screens.

    Note

    If the user is impatient and clicks Next before pressing the pound key #, authentication fails.

    (Video) 24. Enable Self Service Password Reset in Azure Active Directory

  5. After successful authentication, the user will be given two options, either unlock the account and keep the current password or to set a new password.

  6. Then the user has to enter a new password twice, and the password is reset.

Access from the self-service portal

  1. Users can open a web browser, navigate to the Password Reset Portal and enter their username and click Next.

    If MFA was configured, the user will receive a phone call. In the background, what’s happening is that Azure AD Multi-Factor Authentication then places a phone call to the number the user gave when they signed up for the service.

    When a user answers the phone, they will be asked to press the pound key # on the phone. Then the user clicks Next in the portal.

  2. If you set up other gates as well, the user will be asked to provide more information in subsequent screens.

    Note

    If the user is impatient and clicks Next before pressing the pound key #, authentication fails.

  3. The user will have to choose if they want to reset their password or unlock their account. If they choose to unlock their account, the account will be unlocked.

    Working with Self-Service Password Reset (7)

  4. After successful authentication, the user will be given two options, either to keep their current password or to set a new password.

  5. Working with Self-Service Password Reset (8)

    (Video) Enable Self Service Password Reset Azure Active Directory: SSPR and Azure AD

  6. If the user chooses to reset their password, they will have to type in a new password twice and click Next to change the password.

FAQs

Should I enable self-service password reset? ›

We recommend that organizations use the combined registration experience for Azure AD Multi-Factor Authentication and self-service password reset (SSPR). SSPR allows users to reset their password in a secure way using the same methods they use for Azure AD Multi-Factor Authentication.

Who can use self-service password reset? ›

When you test self-service password reset, use a non-administrator account. By default, Azure AD enables self-service password reset for admins. They're required to use two authentication methods to reset their password.

What is set up self-service password reset? ›

Self Service Password reset allows end-users to reset passwords without the intervention of an administrator. You can use the self-service password reset tool so you don't have to contact your administrator to reset your password.

How do I unlock my self account? ›

Log in to Admin Portal, click Access > Policies tab, and select the policy set. Click User Security Policies > Self Service. Select Yes in the Enable account self service controls drop-down. Enable the Account Unlock option.

Why are people trying to reset my password? ›

If someone keeps trying to request a password reset, your email address can be fetched by malware, phishing emails, or attacking Internet sites. Run anti-virus/anti-malware scans on your computer. Make sure not to post your email address publicly or subscribe to suspicious web pages.

Why do hackers try to reset your password? ›

Even if you reuse passwords at sites that seem less sensitive than banking or financial services, that's still risky, given that hackers are often looking for personal information that can help them pull off other scams, such as taking out credit cards in your name.

Can I be held responsible for anything that happens if someone else uses my password? ›

Don't share passwords – You can't be sure someone else will keep your credentials safe. At work, you could be held responsible for anything that happens when someone is logged in as you.

Can my employer request my password? ›

California. Employers may not ask or require employees or applicants to disclosure user names or passwords to social media accounts, to access their social media accounts in the presence of the employer, or to disclose the contents of their social media accounts.

How can I reset password without mobile number? ›

How to Recover Gmail Password Without Phone Number or Recovery Email
  1. Go to the Google Account Recovery page or visit this link.
  2. Enter your Gmail ID or username.
  3. Click on Next.
  4. The next screen will show you three options 一 Enter your password, Get verification email on recovery email, and Try another way to sign in.
May 15, 2022

How long does password writeback take to work? ›

Password writeback allows users to get real-time feedback about the success of their password reset or change operation. The average time for a successful writeback of a password is under 500 ms.

How does password recovery work? ›

Password recovery is the process of identifying a lost, destroyed, or otherwise inaccessible password, allowing for the successful decryption of key files. This can be a crucial service to consider when you've lost important databases, spreadsheets, documents, and other files due to encryption.

Why do we need self-service portal? ›

The portal provides customers with a fast and direct way of getting answers to a variety of questions and issues. A self-service portal is also an extremely efficient way of outreaching to new customers, boosting customer-to-customer relationships, and improving company-customer relationships.

Can a self account be reopened? ›

If you closed the account yourself, you may have more success in asking the company to reopen it. If the issuer closed the account, they may (or may not) be willing to reopen it depending on why they closed it. If you're thinking about reopening an account, finding out why it was closed is a good place to start.

Why is my account getting locked? ›

The common causes for account lockouts are: End-user mistake (typing a wrong username or password) Programs with cached credentials or active threads that retain old credentials. Service accounts passwords cached by the service control manager.

Why is my account locked? ›

If you tried to sign in to your account and received a message that it's been locked, it's because activity associated with your account might violate our Terms of Use.

Should I be worried about compromised passwords? ›

Compromised passwords and username combinations are unsafe because they've been published online. We recommend that you change any compromised passwords as soon as you can.

Does changing your password get rid of hackers? ›

A hacker may attempt to access your account more than once over a period of time. Changing your password often reduces the risk that they will have frequent access.

What is it called when someone tries to trick you into giving them your password? ›

Phishing schemes often use spoofing techniques to lure you in and get you to take the bait. These scams are designed to trick you into giving information to criminals that they shouldn't have access to.

Will resetting my phone stop a hacker? ›

Can resetting my Android device remove hackers? A factory reset can remove most forms of malware, but you'll lose all of your stored data in the process, including photos, contacts, files, and similar items. So, make sure you back up your device before initiating a factory reset.

How long does it take a hacker to guess your password? ›

It found if you're using numbers only in your password, it would take hackers no more than three minutes if you have 14 or fewer characters. Even using up to 18 characters would take hackers no more than three weeks to hack your account.

What attackers do when they have your password? ›

Six Types of Password Attacks & How to Stop Them
  • Phishing. Phishing is when a hacker posing as a trustworthy party sends you a fraudulent email, hoping you will reveal your personal information voluntarily. ...
  • Man-in-the-Middle Attack. ...
  • Brute Force Attack. ...
  • Dictionary Attack. ...
  • Credential Stuffing. ...
  • Keyloggers.

What is Citrix self-service password reset? ›

The self-service password reset provides the following two new authentication mechanisms:
  1. Knowledge based question and answer. You must register to Citrix authentication, authorization, and auditing or to a Citrix Gateway before selecting the knowledge-based question and answer schema.
  2. Email OTP authentication.
Sep 23, 2022

What is azure self-service password reset? ›

Self-Service Password Reset (SSPR) is an Azure Active Directory (Azure AD) feature that empowers the users to reset their passwords without the need to contact IT staff for help. The users can quickly unblock themselves and continue working no matter where they are or time of day.

Why is Amazon requiring a password reset? ›

Amazon has force-reset an unknown number of accounts, after passwords may have been compromised.

Should a password reset be an incident or service request? ›

The best practice, in adherence with ITIL standards, would be to consider a password reset a request and not an incident as an incident is defined as "an unplanned interruption to an IT service or reduction in the quality of an IT service".

How long will I be locked out of Citrix? ›

Local system users and external users can be locked for 24 hours using the lock aaa user <username> command. The ADC appliance allows admins to unlock the locked user, and the feature is available regardless of the setting in persistentloginAttempts.

Does self-service password reset require MFA? ›

Self-Service Password Reset (SSPR) allows you to reset your Microsoft 365 account password yourself by confirming your identity with the MFA method. This avoids a call to the service desk to reset your password. To register for MFA and Self-Service Password Resets, follow the steps below.

What happens when you reset Citrix workspace? ›

Right-click the Workspace/Receiver icon in the system tray. Click Advanced Preferences. Click Reset Citrix Workspace or Reset Citrix Receiver. Be aware that you may lose all favorites configured on this device, and you will lose all settings configured on the app.

Videos

1. Self Service Password Reset for Remote Users
(ManageEngine IAM and SIEM)
2. Self Service Password Reset (SSPR) | Configure Self Service Password Reset in Azure Active Directory
(Office 365 Concepts)
3. Self-service password reset for Active Directory | Adaxes
(Softerra)
4. How to enable Self service password reset in Office 365
(EnjoySharePoint)
5. How to Enable Self Service Password Reset in Microsoft 365
(BonGuides)
6. How to reset Windows 10 passwords using ADSelfService Plus
(ManageEngine IAM and SIEM)
Top Articles
Latest Posts
Article information

Author: Msgr. Benton Quitzon

Last Updated: 03/15/2023

Views: 6016

Rating: 4.2 / 5 (43 voted)

Reviews: 90% of readers found this page helpful

Author information

Name: Msgr. Benton Quitzon

Birthday: 2001-08-13

Address: 96487 Kris Cliff, Teresiafurt, WI 95201

Phone: +9418513585781

Job: Senior Designer

Hobby: Calligraphy, Rowing, Vacation, Geocaching, Web surfing, Electronics, Electronics

Introduction: My name is Msgr. Benton Quitzon, I am a comfortable, charming, thankful, happy, adventurous, handsome, precious person who loves writing and wants to share my knowledge and understanding with you.