As stated before, the Password Reset section allows you to specify if you want to enable self- service password resets (SSPRs). If you decide to enable this feature, users will be able to reset their own passwords or unlock their accounts.
You can choose from three SSPR options: None, Selected, and All Users. If you choose None, then no one can reset their own passwords. You can also select the option Selected to choose which users can reset their password, or you can choose All Users, which will allow all users to reset their passwords. To set up SSPR, you must meet the following prerequisites:
■ An Azure AD tenant subscription with the minimum of at least one trial license enabled
■ Global Administrator account that can be used to enable SSPR
■ A non- administrator test account with a password that you know
■ A pilot group account to test with the non- administrator test account (the user account needs to be a member of this group)
In Exercise 10.3, I will show you how to configure the Self- Service Password Reset option in Azure AD. To complete this exercise, you must have created a user (Exercise 10.1) and a group (Exercise 10.2).
EXERCISE 10.3
Setting up Self- Service Password Reset
- From your existing Azure AD tenant, click the Azure Active Directory.
- Select Password Reset.
- From the Properties page, under the option Self Service Password Reset Enabled, choose the Selected option.
- From Select Group, choose your pilot group.
- Click Save.
- On the Authentication Methods page, make the following choices and then click Save: Number of methods required to reset: 1 Methods available to users:
Mobile phone
Office phone
7. On the Registration page, make the following choices:
Require users to register when they sign in: Yes
Set the number of days before users are asked to reconfirm their authentication information: 365
In Exercise 10.4, you’ll learn how to test the Self- Service Password Reset option. To complete this exercise, you must have completed the previous exercise (Exercise 10.3). This test must be done with a normal user account. You can’t run this test using your account.
EXERCISE 10.4
Testing the Self- Service Password Reset
- Open a new browser window in InPrivate or incognito mode, and browse to https:// aka.ms/ssprsetup.
- Sign in as a non- administrator test user and register your authentication phone.
- Once complete, click the Looks Good button and close the browser window.
- Open a new browser window in InPrivate or incognito mode and browse to https:// aka.ms/sspr.
- Enter your non- administrator test user’s User ID, type the characters in the CAPTCHA, and then click Next.
- Follow the verification steps to reset your password
Creating a Hybrid Network
One nice feature of using both an onsite and an Azure network is that Microsoft has many different tools to help you connect both networks. Connecting both networks is important so that users can seamlessly move between the two networks.
Microsoft’s identity solutions extend your organization’s onsite network with the Azure network features. These solutions create a common user identity for authentication and authorization to all resources. The advantage is that users can access these resources no matter where they reside. This is what Microsoft refers to as hybrid identity.
To properly set up your hybrid identity, you can use one of the following authentication methods. Which one you decide to go with depends on your environment scenario.
■ Password hash synchronization (PHS)
■ Pass- through authentication (PTA)
■ Federation
So, what is the real advantage of setting up both networks using one of these methods? When you choose one of the authentication methods, you are providing your users with single sign- on (SS0) capabilities. Single sign- on allows your users to sign in once but have access to resources on both networks. This is what gives your users seamless access to all resources. Let’s take a look at some of the available identity solutions.
Password Hash Synchronization with Azure AD
One of the hybrid identity sign- in methods that you can use is called password hash synchronization. Azure AD and your onsite Active Directory synchronize with each other by using a hash value. The hash value is created based on the user’s password. This way the two systems can stay in sync with each other. Azure AD Connect is also required for this setup to function properly.
Password hash synchronization is a feature that is part of the Azure AD Connect sync, and it allows you to log into Azure AD applications like M365. The advantage is that your users log into their account using their onsite username and password. This helps users because it reduces the number of usernames and passwords that they need to know.
Another advantage to your organization is that you can use password hash synchronization as a backup sign- on method if your organization decides to use Federation services with Active Directory Federation Services (AD FS). To set up password hash synchronization, your environment needs to implement the following;
■ Azure AD Connect
■ Directory synchronization between your on- site Active Directory and your Azure AD instance
■ Have password hash synchronization enabled
Azure Active Directory Pass- Through Authentication
Another option for allowing your users to sign into both onsite and cloud- based applications using the same passwords is Azure AD Pass-T hrough Authentication. Organizations can use Azure AD Pass- Through Authentication instead of using Azure AD Password Hash Synchronization. The benefits to using Azure AD Pass- Through Authentication include the ability to enforce onsite Active Directory security and password policies.
This option will help your organization with costs because your IT support desk will not be inundated by users’ calls trying to remember their different passwords. This will help lower your IT department budget for total cost of ownership (TCO). Fewer calls to support means fewer support people needed. Some of the key benefits to using Azure AD Pass- Through Authentication are as follows:
■ Better user experience
■ Users can use the same account password to sign into both your Azure AD and onsite AD networks.
■ Users don’t need to talk to IT as often to reset passwords for multiple accounts.
■ Azure AD allows your users to do their own password management using the Self- Service Password Management tools.
■ Easy deployment
■ There is no need to deploy a large infrastructure onsite. The Azure AD network can handle most of your networking services.
■ Less budgeting is needed for onsite IT departments. Since your Azure AD and your onsite AD can easily integrate with each other, there is no need for large IT departments onsite.
■ Security
■ One nice advantage is that onsite passwords will never be stored in the Azure cloud.
■ Users’ accounts are protected using Azure AD Conditional Access policies. These policies include multifactor authentication (MFA), filtering for brute- force password attacks, and stopping legacy authentication.
■ The Azure agent will only allow outbound connections from within your network. The advantage of this means that you are not required to load an agent on your perimeter network.
■ With the use of certificate- based authentication, organizations get secure connections between the Azure agent and Azure AD.
■ Highly available
■ By installing additional Azure agents onto onsite servers, you can get high availability of Azure sign- in requests.