Active Directory
A set of directory-based technologies included in Windows Server.
5,805 questions
Not sure I understand. Why would each user need to travel to the corp office for password sync?
Self Service Password Reset
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 93%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELS%3C/text%3E%3C/svg%3E)
Luís Silva
1
Reputation point
With the increasing amount of workers home-working, some of them even moving from their "close to office" location, we assume a strong need will exist for Self-service Password reset to enable unlocking of accounts, or resetting forgotten passwords. However, in hybrid implementations where the windows machine connects to an on-prem DC, and the Azure Self-service Password reset writes back to on-prem, the user needs to connect to the corporate network in some way to synchronize the password. But before logon, the VPN connection is not available. In our case, to reduce traffic as a lot of workers only work on Office 365. This means each and every time, the user will have to travel to a corporate office for password synchronization. I would guess several big companies and Microsoft Clients are struggling with this, so there must be some talks on the subject?
5 answers
Sort by: Most helpful
-
-
Luís Silva 1 Reputation point
2021-11-16T12:53:21.727+00:00 To login to the a Windows 10 FM, where the logon will occur towards the on-prem DC. If the password was lost/forgotten/locked and was afterwards reset with Azure SSPR, the Windows 10 machine in the login screen, is not connected to the VPN, so it won't be able to authenticate towards the DC where the new password was written to from the SSPR.
-
Andy David - MVP 140.8K Reputation points MVP2021-11-16T14:18:36.537+00:00 If PHS is enabled, the Client machine doenst need to talk to the on-prem AD to continue to work.
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs
-
Luís Silva 1 Reputation point
2021-11-17T07:45:10.007+00:00 Thanks Andy,
I will do some tests and update you based on those
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 14.000000000000002%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
jd 1 Reputation point2022-04-11T10:28:37.2+00:00 Hi @Luís Silva did you manage to get this working ?
@Andy David - MVP how does the logon screen on the client device talk to Azure AD for authentication,
when using an on-premises AD account & domain joined computer?Thanks
Sign in to comment -
-
jd 1 Reputation point
2022-04-20T13:13:48.967+00:00 the only Microsoft solution I have found for this on Hybrid Azure AD joined devices is to configure the Windows 10 Always on VPN device tunnel.
https://learn.microsoft.com/en-us/windows-server/remote/remote-access/vpn/vpn-device-tunnel-config
This allows the device to authenticate the new password against the on-premises domain controllers prior to logon.