Securely enable Azure Password Writeback to specific groups of people.

Question

People,

How can I select which specific OUs or AD groups or even users with specific attributes can reset their password from Azure ?

IT Security policy limits the scope to only allow the regular user only not Admin account nor Service accounts.

Because I cannot find the options on this page:
https://portal.azure.com/#blade/Microsoft_AAD_IAM/PasswordResetMenuBlade/OnPremisesIntegration

https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writeback#enable-password-writeback-in-azure-ad-connect

This page also does not show how can I limit the sync process to certain criteria, so that only normal or regular users can reset their password from Azure.

Thanks in advance.

Answer 1

Hi @EnterpriseArchitect • Thank you for reaching out.

As of now the only option to configure which users can reset their passwords using Azure, is available under Azure Active Directory > Password Reset > Properties:

Here you can either select All Users / Specific Azure AD Group (either synced or cloud-only) / None. You cannot control SSPR on the basis of OU or users' attribute(s)

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

Hello,

in addition if you get any errors on the way you can use this guide to Troubleshoot self-service password reset writeback in Azure Active Directory

https://learn.microsoft.com/en-us/azure/active-directory/authentication/troubleshoot-sspr-writeback

Hope this helps with your query!

---------------------------------------------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept as answer--