SSPR Issue

Pradeep N 0 Reputation points


I have done workaround and implemented SSPR, but have one question, let's take an example.

A user has a company device (domain joined). User is traveling to another country for a few weeks or months.

During this time his password expired. He reset the password using SSPR Password Reset (Microsoft Password Reset URL). Password reset successfully and he is able to use Microsoft application like web-outlook with new password.

But now the question is that the user is not able to login to his device with the new password. (The device still takes the old password). It means that the user has to have 2 (two) passwords. 1 for application and 1 for device login.

The device updates the new password when the user is using a VPN or connecting to the On-Premises network. But in this case cannot provide to everyone to have VPN connectivity nor want to depend on VPN.

Now we have this kind of problem, so what is the solution for it.

Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,457 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Harpreet Singh Matharoo 7,481 Reputation points Microsoft Employee

    Hello @Pradeep N

    Thank you for reaching out. I would like to confirm that this is a known limitation and design behavior for SSPR which is also documented on following as below: Enable Azure Active Directory self-service password reset at the Windows sign-in screen

    "Hybrid Azure AD joined machines must have network connectivity line of sight to a domain controller to use the new password and update cached credentials. This means that devices must either be on the organization's internal network or on a VPN with network access to an on-premises domain controller."

    I hope this helps and hence would request you to please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

  2. Pradeep N 0 Reputation points

    Hi Harpreet, Thank you for response.

    In this case, if we activate Azure ADDS (Active Directory Domain Services) or create a VM with ADC (additional domain controller) in Azure.

    Can we fix this problem by working on a plan. Because we don't want VPN dependency?

  3. Pradeep N 0 Reputation points

    Thanks for sharing your valuable reply.

    Is there any solution other than "Alway on VPN ? If yes, can you please share the solution/doc url. It will help to implement it.

    Or this is the only solution to avoid VPN dependency to use "always on VPN". Can you please share useful article url to configure and implement it.