Procedure to allow users to self service password reset on WIndows 10/11 login?

Question

What is the most effective way for me to implement Self Service Password Recovery for all my Computer Users without having to log into my On-Premise AD domain via VPN?

My current setup:

• Hybrid On-Premise AD DS to Azure AD (Password Hash Synch).
• Azure AD Premium P2 with Azure AD Connect.
• Password WriteBack has been enabled.
• Windows 10 and 11 for the majority of the users.

The Goal:

Before connecting to my OnPremise Network, Users should be able to reset their own password at https://passwordreset.microsoftonline.com/, using the web browser, and then allow them to connect to my Corporate network via VPN client with the newly reset password.

I would appreciate any assistance you can provide.

Answer 1

Thank you for asking this question on the Microsoft Q&A Platform.

After you configure the Azure AD self-service password reset all the users must complete the SSPR registration at https://aka.ms/ssprsetup

another consideration is that for your users to be able to comply with your AD's password policies on Premises, you should change the hybrid authentication method from Password Hash Synch to Pass-through Authentication

The extra mile is you Enable Azure Active Directory self-service password reset at the Windows sign-in screen

Hope this helps!

---

Accept Answer and Upvote, if any of the above helped, this thread can help others in the community looking for remediation for similar issues.

Answer 2

Hello,

Initially, as the Azure Self Service portal is exposed online, there should not be need to use a VPN service for it.

Regarding the configuration there are different factors and requisites for the deployment for which I would recommend the next official article:

https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr

Additionally to know more about the Azure AD self-service password reset I can recommend the next deep dive article:

https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks

--If the reply is helpful, please Upvote and Accept as answer--

Answer 3

@EnterpriseArchitect

• Does the computer must be Hybrid Azure AD joined device and shown in the https://endpoint.microsoft.com/?l=en.en-au#view/Microsoft_Intune_DeviceSettings/DevicesWindowsMenu/~/windowsDevices page in order to allow SSPR using the https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-assign#assign-a-policy-to-users-or-groups article? As per Windows 11 and 10 prerequisites this configuration supports both hybrid and Azure AD joined windows devices.
• Enable SSPR in Windows would enable users to reset their password at the Windows sign in screen

Please do let me know if you have any further queries in the comments section.

Thanks,

Akshay Kaushik

Please "Accept the answer" (Yes/No), and share your feedback if the suggestion works as per your business need. This will help us and others in the community as well.

Answer 4

For Hybrid there is a dependency on VPN though; It seems somewhat forgotten here?

Initial line of sight to Entra-id via the URL is okay - but that is step 1 only and if your workforce is predominantly WFH or road warrior type - they won't benefit much from SSPR unless they can reset their PW via VPN.

Even with an auto-connect or always-on flavors of VPN - the VPN connection is only active when you logon (cached credentials via LSA) - however, this won't work because the PW is forgotten and you cannot start the VPN unless the VPN offers some form of Start Before Logon , Connect Before Logon or Management Tunnel - that offers (limited) connectivity to the on-prem DC's to make it work.

For non-domain joined Win11 - this problem is not existing IIRC since you don't need Line Of Sight to internal DC's (no writeback dependency)

Kr

Rik