-
Notifications
You must be signed in to change notification settings - Fork 5
Azure AD Self Service Password Reset
Navigate Users / User Settings / User Features
- Users can use the combined security information registration experience: ALL
click here for Password Reset Properties
- Number of methods required to reset: 2
- Methods available to users: Methods available to users
- Recommend: Mobile app notification
- Recommend: Mobile app code
- Recommend: Mobile phone
- Recommend: Security questions
- Require users to register when signing in: Yes
- Number of days before users are asked to re-confirm their authentication information: 180
- Notify users on password resets: Yes
- Notify all admins when other admins reset their password: Yes
- Customize helpdesk link: Yes
- Custom helpdesk email or URL: provide company url to helpdesk
- Write back passwords to your on-premises directory: Yes
- Allow users to unlock accounts without resetting their password: Yes
- Is self-service password reset enabled: No
EnforceCloudPasswordPolicyForPasswordSyncedUsers
- Make sure to run this to allow Azure AD Password policy to take place. Will need to make sure the password policy matches the on premise policy. This setting is to make sure users will get expired password prompts in Azure AD.
Set-MsolDirSyncFeature -Feature EnforceCloudPasswordPolicyForPasswordSyncedUsers
Once enabled, Azure AD does not go to each synchronized user to remove the DisablePasswordExpiration value from the PasswordPolicies attribute. Instead, the DisablePasswordExpiration value is removed from PasswordPolicies during the next password hash sync for each user, upon their next password change in on-premises AD.
Note: If there are synchronized accounts that need to have non-expiring passwords in Azure AD, you must explicitly add the DisablePasswordExpiration value to the PasswordPolicies attribute of the user object in Azure AD. You can do this by running the following command.
Set-AzureADUser -ObjectID <User Object ID> -PasswordPolicies "DisablePasswordExpiration"
- In the Microsoft 365 admin center, go to the Security & privacy tab under Org Settings. (Click Here)
- If you aren't a global admin, you won't see the Security and privacy option.
- Select Password expiration policy.
- If you don't want users to have to change passwords, uncheck the box next to Set user passwords to expire after a number of days.
- Type how often passwords should expire. Choose a number of days from 14 to 730. (Make Sure it matches on premise Active Directory)
- In the second box type when users are notified that their password will expire, and then select Save. Choose a number of days from 1 to 30.
- Need to make sure for new users the user gets prompted to change at first use in the cloud
Set-ADSyncAADCompanyFeature -ForcePasswordChangeOnLogOn $true
Forcing a user to change their password on next logon requires a password change at the same time. Azure AD Connect will not pick up the force password change flag by itself; it is supplemental to the detected password change that occurs during password hash sync.
Also, creds migrated from one domain to another using ADMT usually get flagged, I recommend stoping the aadconnect during migrations and making sure the migrated account is correct.