Self Service Password Reset

Question

With the increasing amount of workers home-working, some of them even moving from their "close to office" location, we assume a strong need will exist for Self-service Password reset to enable unlocking of accounts, or resetting forgotten passwords. However, in hybrid implementations where the windows machine connects to an on-prem DC, and the Azure Self-service Password reset writes back to on-prem, the user needs to connect to the corporate network in some way to synchronize the password. But before logon, the VPN connection is not available. In our case, to reduce traffic as a lot of workers only work on Office 365. This means each and every time, the user will have to travel to a corporate office for password synchronization. I would guess several big companies and Microsoft Clients are struggling with this, so there must be some talks on the subject?

Answer 1

Not sure I understand. Why would each user need to travel to the corp office for password sync?

Answer 2

To login to the a Windows 10 FM, where the logon will occur towards the on-prem DC. If the password was lost/forgotten/locked and was afterwards reset with Azure SSPR, the Windows 10 machine in the login screen, is not connected to the VPN, so it won't be able to authenticate towards the DC where the new password was written to from the SSPR.

Answer 3

If PHS is enabled, the Client machine doenst need to talk to the on-prem AD to continue to work.

https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs

Answer 4

Thanks Andy,

I will do some tests and update you based on those

Answer 5

the only Microsoft solution I have found for this on Hybrid Azure AD joined devices is to configure the Windows 10 Always on VPN device tunnel.

https://learn.microsoft.com/en-us/windows-server/remote/remote-access/vpn/vpn-device-tunnel-config

This allows the device to authenticate the new password against the on-premises domain controllers prior to logon.