Self Service Password Reset

Luís Silva 1 Reputation point
2021-11-16T12:07:21.083+00:00

With the increasing amount of workers home-working, some of them even moving from their "close to office" location, we assume a strong need will exist for Self-service Password reset to enable unlocking of accounts, or resetting forgotten passwords. However, in hybrid implementations where the windows machine connects to an on-prem DC, and the Azure Self-service Password reset writes back to on-prem, the user needs to connect to the corporate network in some way to synchronize the password. But before logon, the VPN connection is not available. In our case, to reduce traffic as a lot of workers only work on Office 365. This means each and every time, the user will have to travel to a corporate office for password synchronization. I would guess several big companies and Microsoft Clients are struggling with this, so there must be some talks on the subject?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
3,657 questions
Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,762 questions
No comments
{count} votes

5 answers

Sort by: Most helpful
  1. Andy David - MVP 110.4K Reputation points Microsoft MVP
    2021-11-16T12:20:25.747+00:00

    Not sure I understand. Why would each user need to travel to the corp office for password sync?

    No comments

  2. Luís Silva 1 Reputation point
    2021-11-16T12:53:21.727+00:00

    To login to the a Windows 10 FM, where the logon will occur towards the on-prem DC. If the password was lost/forgotten/locked and was afterwards reset with Azure SSPR, the Windows 10 machine in the login screen, is not connected to the VPN, so it won't be able to authenticate towards the DC where the new password was written to from the SSPR.

    No comments

  3. Andy David - MVP 110.4K Reputation points Microsoft MVP
    2021-11-16T14:18:36.537+00:00

    If PHS is enabled, the Client machine doenst need to talk to the on-prem AD to continue to work.

    https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs

    No comments

  4. Luís Silva 1 Reputation point
    2021-11-17T07:45:10.007+00:00

    Thanks Andy,

    I will do some tests and update you based on those


  5. jd 1 Reputation point
    2022-04-20T13:13:48.967+00:00

    the only Microsoft solution I have found for this on Hybrid Azure AD joined devices is to configure the Windows 10 Always on VPN device tunnel.

    https://learn.microsoft.com/en-us/windows-server/remote/remote-access/vpn/vpn-device-tunnel-config

    This allows the device to authenticate the new password against the on-premises domain controllers prior to logon.

    No comments