Q. What are the options to enable end-user password self-service with Azure AD?
A. For users that have Azure AD Basic or Premium licenses assigned to them it is possible to enable users to reset their passwords if they forget it. For users with AD Premium this password can also be synched back to on-premises Active Directory.
To enable users to be able to reset their passwords the capability must be enabled for the Azure AD instance. This can be done through the Configure tab of the Azure AD instance and setting the User Password Reset Policy to 'Yes'. It is also possible to restrict who can reset passwords by turning on the Restrict Access to Password Reset option. Once the password reset option is enabled you select the methods that can be used for reset which at time of writing include:
- Office phone
- Mobile phone
- Alternate email address
- A list of security questions
As shown below, check the options you wish to enable in addition to specifying the number of authentication methods required during a reset. Also check to enable the Security Questions option so you can configure the number of questions that users must populate when registeringm and the number of questions that must be answered during an actual reset action. You also need to specify the actual questions that will be available. Make the various settings and click the Save button.
Phone number information may come from directory synchronization however the other types would need to be entered by the user. The configuration page contains a link users can use to directly perform the registration however this can also be done when users visit the Azure Access Panel at http://myapps.microsoft.com/. When a user accesses the page after the self-service reset has been enabled they will be prompted to verify their reset information.
The access account information page will display which authentication methods need to be validated (such as calling the number or sending an email which requires the supplied code in the message to be typed in proving ownership) or populated (such as security questions). Complete the required verification and populations. Below are some of the key screens from the user experience.
From the Azure Access Panel a user can select the Profile tab and select the Register for Password Reset to modify the security information.
Once this is configured users will be able to reset their password by selecting the Can't access your account? link on the sign-in screen for their logon screen once their Azure AD account is typed as shown.
Initially, displayed characters must be typed in to help protect against automatic bots trying to attack accounts and once those characters are entered the verification process will begin enabling the password reset action. Microsoft has a great blog post at http://blogs.technet.com/b/ad/archive/2014/04/29/deep-dive-password-reset-with-on-premise-sync-in-azure-ad-premium.aspx which has additional information. https://msdn.microsoft.com/library/azure/dn532272.aspx?f=255&MSPPError=-2147217396 confirms the versions of Azure AD that support the self-service password reset.