after more then three weeks of search, try and error I tumble back here for help.
I have successfully connected the on premise AD with the Cloud Azure AD and passwort sync seems to work as well. But at last there is still a problem present I just can't locate and/or fix. If a synced User trys to reset his password on the portal.office.com website (which should be forced after 90 days) he is forbidden to do so.
Now to my question: Is it true, that the only possible way to reset synced users password is for the admin manually reset the password in the locale AD?
Thank you very much.
Best regards
Sala
It is possible to reset synced passwords by users. It requires Azure AD Premium for appropriate users and several additional setup steps including Password Writeback feature enabled. See "Enable users to reset or change their AD Passwords" topic in this post.
Related
Quite new to B2C and have setup custom policies which did seem to be working ok.
Since adding the reset password functionality: https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-custom-policy
I have found that local user accounts can sign up and it will sign them in but will not let them log in again.
Same happens for resetting the password. It all goes through the user can log in and then on next login it doesn't accept the creds.
B2C audit logs shows the password reset as a success... not sure what I am missing?
EDIT: I checked on another tenant I was testing on which I had not setup the password reset yet and have the same issue with local user account creation.
The only piece that is different to the examples is that I have multi-tenant azure AD idp setup.
Any help will be much appreciated
Sounds like you did not complete the setup for the proxyief and ief app registrations correctly. https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy#register-identity-experience-framework-applications
Delete your proxyief and ief app registrations, then use my tool to reprovision them: https://aka.ms/iefsetup
After reprovisioing, test after a few minutes.
It will overwrite your custom policy files, so download them back and setup the AAD multi tenant technical profile again afterwards.
Application ID's needed to be added to the technical profile of trusedbaseextensions file for non interactive logins.
Application ID's for both app registrations mentioned.
How can I configure Self service password reset for AD users(not Azure Active Directory) in Azure? So that when the password expires the user can themselves reset the password instead of asking the administrator/admin to go to portal and reset their password.
Unfortunately at my company, we are facing the same dilemma our users thankfully have domain-joined laptops and just connect to VPN and change their passwords that way (not that's any use for you). You can check out a couple of open-sourced projects for hosting a website that users can go to and reset their password. You can also get a higher-tier subscription and allow them to reset their password via O365 as well.
https://github.com/mprahl/ADReset
I'm using Office 365 Business Premium for my test. From a couple of days ago, I've gotten prompt for Authentication code (see below) after enter my password when I try to sign-in.
MFA prompt
It seems like MFA became enabled suddenly although I didn't anything such a configuration. I doubt my account is possibly violated.
Is there any way to recovery from this situation?
Thanks
Kaypyosh
If you lost your phone you will need to reach out to your administrator to reset your information.
The Authenticator app is designed so that you have to prove your identity, so it will require the admin reset if Authenticator MFA is enforced.
If you are the only global admin on the tenant then you can reach the Azure data protection team to get this resolved.
Azure Data Protection number (866-807-5850)
However, if there is a second global admin you will need to reach out to that person to reset the settings. Please refer to this similar one
Only the global admin is able to set up or modify MFA.
You can turn off MFA by following the steps:
1.Go to the Office 365 admin center.
2.Go to Users > Active users.
3.Choose More > Setup Azure multi-factor auth.
4.Check your account.
5.Click Disable on the right.
Please check here
I am using free Azure AD and when a user tries to "Change password" in the Azure portal, it says:
"you can’t change your password here. Your organization doesn’t allow you to change your password on this site. Please change your password according to the method recommended by your organization, or ask your admin if you need help."
All I can find online is that a change was made and now this feature requires Password Writeback (a premium feature) to work however it is advertised as being available with free Azure AD https://azure.microsoft.com/en-ca/pricing/details/active-directory/ (Self-Service Password Change for cloud users).
Am I missing something here? Is there a possible workaround, or is this feature really not available to Azure AD/AD Connect environments without premium? Again, I am only looking to have users change passwords not reset them.
Password change (not reset) is available in Free edition of Azure AD.
This link has few of the the scenarios listed:
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-licensing
https://learn.microsoft.com/en-us/azure/active-directory/user-help/active-directory-passwords-update-your-own-password#change-my-password
as requested by the Azure support team we are raising this issue.
The issue we face is that resetting the user password doesn’t work for Azure B2C.
We followed the steps as outlined here: http://aka.ms/d_LzkR2Yfz
We do get a temporary password for the user, but when trying to login the system responds with an “Invalid username or password.“.
There is a known issue that is related to administrators resetting passwords for local account users via the Azure Portal.
It is recommended that administrators reset passwords for local account users using the Azure AD Graph API.
and why that indusians don't fix that portal issue so long time...