Microsoft has recently released an enhancement to its Windows Azure Active Directory (WAAD) offering. This enhancement enables end users to perform self-service password resets in the case of a forgotten password. Previously this function was available to administrative accounts only.
WAAD self-service password reset (SSPR) is a premium offering, requiring Premium Features to be enabled for the WAAD.
Once WAAD Premium Features are enabled, the User Password Reset Policy can be edited and SSPR enabled. For the initial release, enabling SSPR does so for all WAAD user accounts. Microsoft has advised that future releases will allow SSPR to be configured on a per user basis.
When enabling SSPR, the administrator must select what communication mechanisms are available to the SSPR solution to contact users. For this release, the mechanisms are limited to Mobile number or Office phone number. SSPR can either send a SMS or call the end user on the number/s provided. Contact via an alternate email address is planned for future releases.
For customers with Directory Synchronisation enabled, these attributes can be populated in the on-premises Active Directory and synchronised to WAAD via DirSync or the new Forefront Identity Manager connector for Windows Azure Active Directory (found here). Alternatively users can register contact numbers via a registration portal before attempting to use the SSPR solution.
Once configured for SSPR, users can access the reset functionality by clicking the “Can’t access your account?” link on the Office 365 sign in page.
This offering closes the loop on password management by providing delegated password administration for WAAD for organisations not using the password synchronisation features incorporated into the recent DirSync enhancement or those without account federation. For organisation using these technologies, password administration must still be performed via on-premises tools. Note the initial release if the Forefront Identity Manager connector for Windows Azure Active Directory does not support password synchronisation, and is therefore better suited for organisations intending to implement federation.
Whilst SSPR can be enabled for organisations using DirSync for password synchronisation, its use will cause the on-premises password to become out of sync with the one in WAAD. The WAAD password will not be synchronised back to the on-premises AD.
Issues with out of sync passwords can be corrected by the user resetting their on-premises password, triggering synchronisation to WAAD.
Update to the above – password write back to an on-premises Active Directory for Azure Password Reset is now supported. Details on this feature can be found at the URL below:
http://msdn.microsoft.com/en-us/library/azure/dn688249.aspx