Jump to content
support

Azure Active Directory Reset Example

Recommended Posts

Step 1: Ensure you have prerequisites set up for your web server, as per this forum post (Once off process)

Step 2: Add new Password Record configured as follows:

 

Screen 1: Ensure you configure the below 4 options correctly and enter in the Azure AD password for the account.  If you configure an Expiry Date it will automatically change the password when that date is reached.

2019-04-04_9-31-57.png

 

 

Screen 2: Select the appropriate Privileged Account.  This account must have permissions to reset other accounts in Azure AD.  If the user account you are resetting the passowrd for has permissions to perform account resets in Azure AD, then you do not need to set a privileged account on this screen.  See bottom of this page for description of permissions required to reset passwords in Azure AD.

 

Also confirm the Password Reset Schedule is enabled if you want the password to automatically change when the Expiry Date occurs

2019-04-04_9-32-12.png

 

 

Screen 3: Confirm the Validate Password for Active Directory Account validation script is selected

2019-04-04_9-32-26.png

 

 

Permissions:

A standard user in Azure AD cannot reset their own account password, using the Powershell module Passwordstate uses.  If you grant the user one of the following roles in Azure, then they will be able to reset their own password:

 

1. Helpdesk (Password) administrator

2. User Administrator

3. Global Administrator

 

Helpdesk administrator is the role with the least privileges, however this will also give the user the ability to reset other Azure user passwords.  If you feel these permissions are too high, then you should use a privileged account that has this Helpdesk Administrator role, and assign it on your Password record (Screen 2 above).  This privileged account will perform the reset of the password on behalf of the user.

 

To assign the Helpdesk Administrator role in Azure AD, log into the Azure AD portal as an Administrator, select Azure Active Directory -> Roles and administrators, and open the Helpdesk (password) Administrator role. Then click Add Assignment and search for the appropriate user, and save your changes.

 

Regards,

Support

Share this post


Link to post
Share on other sites

As you can't use MFA enabled accounts to reset passwords, we are looking for other solutions. The Microsoft documentation states "If multi-factor authentication is enabled for your credentials, you must log in using the interactive option or use service principal authentication". Does anyone have implemented the password reset and hearbeat functionality based on a AAD service principal and can share a few details on this?

Share this post


Link to post
Share on other sites

Hi Thomas,

 

We have not come across any customers who've been able to script resets in this manner, as MFA requires some sort of interaction to enter the OTP password. But hopefully another customer reads this and has some insights.

Regards

Click Studios

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...