Tags

, ,


Microsoft TechNet blog, MStechtalk Part 4, MSTECHTALK PART3, MSTECHTALK PART5,MSTECHTALK PART 1,MSTECHTALK PART 2

If you want to install it on existing Dir Sync server. first you uninstall this application and install it.

 

Uninstallation Procedure

Uninstall DirSync in Control Panel. 

Click Start > Control Panel > Uninstall a program.

Find DirSync and then right click on it > click Uninstall to uninstall the program.

Close DirSync and its associated program.

Delete files and folders created by DirSync

Reboot the server

Download the latest AADSync from http://www.microsoft.com/en-us/download/details.aspx?id=44225

Installation Requirements


The objective of this section is to list the requirements that need to be fulfilled to install Azure AD Sync in your environment.
Azure AD Sync enables you to integrate your on-premises Active Directory Domain Service with your Azure AD directory.
As a consequence of this, you need access to your on-premises Active Directory Domain Service as well as access to a valid Azure subscription that has an Azure AD directory installed.

To install Azure AD Sync, you need a computer running the Windows Server operating system.
The following versions are supported:

  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2

Your computer can be stand-alone, a member server or a domain controller.
The following components need to be installed:

  • .Net 4.5.1
  • PowerShell (PS3 or better is required)

You need an account with local administrator privileges on your computer to install Azure AD Sync.

Azure AD Sync requires a SQL Server database to store identity data. By default a SQL Express LocalDB (a light version of SQL Server Express) is installed and the service account for the service is created on the local machine.
SQL Server Express has a 10GB size limit that enables you to manage approximately 100.000 objects.

If you need to manager a higher volume of directory objects, you need to point the installation process to a different version of SQL Server.
AAD Sync supports all flavors of Microsoft SQL Server from SQL Server 2008 to SQL Server 2014.

You must have the following steps completed before you can install Azure AD Sync:

  1. Create an AD account to connect to AD DS
  2. Create an account to connect to Azure AD

The following sections provide the related steps.

 

When you configure Azure AD Sync, you need to provide the credentials of an account that is used by Azure AD Sync to connect to your AD DS.
You can use a regular user account because the account only needs the default read permissions.

The following sections provide more details about the permissions required by the AD DS account and the attributes it needs access to.

If you want to enable password synchronization between your on-premises AD DS and your Azure Active Directory for your users, you need to grant the following permissions to the account that is used by Azure AD Sync to connect to your AD DS:

  • Replicating Directory Changes
  • Replicating Directory Changes All

Both permissions are required to enable the account to read password hashes from your on-premises AD DS.

If you want to enable rich co-existence between your on-premises Exchange infrastructure and Office 365 (Exchange Hybrid), you can do this by selecting the Exchange hybrid deployment optional feature. When selecting this feature, you enable AAD Sync to write-back attributes to your on-premises environment.

Optional featuresThe following table lists the attributes per object type that require write-back:

Object Type Data source Attribute
Contact proxyAddresses
Group proxyAddresses
User/InetOrgPerson msExchArchiveStatus
msExchBlockedSendersHash
msExchSafeRecipientsHash
msExchSafeSendersHash
msExchUCVoiceMailSettings
msExchUserHoldPolicies
proxyAddresses

The account you configure in the Connect to Active Directory Domain Services dialog page needs to have specific permissions to the attributes above.

The following table lists the minimum set of permissions that are required for this account using DSACLS nomenclature.

Object Type Data source Attribute Permission / Access Right Inheritance
Contact proxyAddresses Write The child objects only
Group proxyAddresses Write The child objects only
User/InetOrgPerson msExchArchiveStatus Write The child objects only
msExchBlockedSendersHash Write The child objects only
msExchSafeRecipientsHash Write The child objects only
msExchSafeSendersHash Write The child objects only
msExchUCVoiceMailSettings Write The child objects only
msExchUserHoldPolicies Write The child objects only
proxyAddresses Write The child objects only

The password write-back feature provides your users with a convenient method to reset their on-premises passwords in the cloud. During the configuration of Azure AD Sync, you can activate password write-back as optional feature.

Optional featuresFor each forest you have configured in Azure AD Sync, the account you have specified for a forest in the wizard must be given the “Reset-Password” and “Change Password” extended rights on the root object of each domain in the forest. The right should be marked as inherited by all user objects.

Use the following procedure to setup permissions on each of the accounts you have configured.

  1. Open Active Directory Users and Computers
  2. At the top, under View make sure that Advanced Features are turned on.
  3. On the left, right-click the root domain and select Properties.
  4. Select the Security tab and click Advanced.Password Writeback 2
  5. On the Permissions tab, click Add.Password Writeback 3
  6. Click Select a Principal and select the account that was specified during setup.
  7. In the drop-down, select Descendant User objects.
  8. In the Permissions section select Reset Password and Change Password.Password Writeback 4
  9. Click Ok. Click Apply. Click Ok.

 

When you configure Azure AD Sync, you need to provide the credentials of an account that is used by Azure AD Sync to connect to your Azure AD.

You should apply the following best practices to this account:

  • You should create a separate account that is only used by Azure AD Sync.
  • You should configure the account with a strong password that is 16 characters long.
  • You should set the “Password never expires” flag on the account.
    To accomplish this task, you can use the following PowerShell script code:

    Copy
    set-msoluser -UserPrincipalName syncaccount@contoso.com -PasswordNeverExpires $True
    
  • Your account must have Global Administrator as Organizational Role selected.Role

You can download the most recent version of Azure AD Sync using the following link: http://go.microsoft.com/fwlink/?LinkId=511690

To start the installation process, launch the executable called MicrosoftAzureADConnectionTool.exe.
This self-extracting executable puts all required files on the local drive and starts the installation process.
If you cancel the installation procedure, a shortcut is being created in the start menu and on the desktop.

If you need to use SQL Server or a domain account for the service account you need to cancel the wizard now. Up to this point, the installation process has already created a local folder that includes Azure AD Sync related files. You need the content of this folder to rerun the installation process with parameters.

  1. Open a command prompt, and then go to C:Program FilesMicrosoft Azure AD Connection Tool.
  2. Start the wizard again with the following parameters:
    Copy
    DirectorySyncTool.exe /sqlserver localhost
                          /sqlserverinstance InstanceName
                          /serviceAccountDomain Azure AD Sync
                          /serviceAccountName Azure AD SyncSvc
                          /serviceAccountPassword VerySecretP@ssw0rd
    
    noteNote
    If you want to use the default SQL partition, then don’t specify this parameter.

At this point, you are ready to complete the dialog pages that are associated with the installation process.

To install the Azure AD Sync tool, you need to complete the following dialog pages:

  1. Install
  2. Connect to Azure Active Directory
  3. Connect to Active Directory Domain Services
  4. Configure User Matching
  5. Optional features
  6. Azure AD Apps
  7. Azure AD attributes
  8. Ready to configure
  9. Finished

 

Welcome to Azure AD SyncAs a first step of the installation process, you need to agree to the license terms and conditions and you need to specify the location of the Azure AD Sync.

 

To connect to your Azure AD directory, the Azure AD Sync tool needs the credentials of an account with sufficient permissions.

Connect to Azure ADFor more details, see Create an account to connect to Azure AD.

 

Connect to AD DSTo connect to your Active Directory Domain Service, the Azure AD Sync tool needs the credentials of an account with sufficient permissions.For more details, see Create an AD account to connect to AD DS.

 

Uniquely identifying your usersOn this page, you need to configure the following:

  1. Matching across forests
  2. Matching with Azure AD

 

The Matching across forests feature allows you to define how users from your ADDS forests are represented in Azure AD.
A user might either be represented only once across all forests or have a combination of enabled and disabled accounts.

Setting Description
My users are only represented once across all forests All users are created as individual objects in Azure AD. The objects are not joined in the metaverse.
Mail attribute This option joins users and contacts if the mail attribute has the same value in different forests. It is recommended to use this option when your contacts have been created using GALSync.
ObjectSID and msExchangeMasterAccountSID This option joins an enabled user in an account forest with a disabled user in an Exchange resource forest. This is also known as linked mailbox in Exchange.
sAMAccountName and MailNickName This option joins on attributes where it is expected the login ID for the user can be found.
My own attribute This option allows you to select your own attribute. Limitation in CTP: Make sure to pick an attribute which will already exist in the metaverse. If you pick a custom attribute the wizard will not be able to complete.

 

You can use this option to specify the attribute you want to use for identity federation. The sourceAnchor attribute is an attribute which is not changing during the lifetime of a user object. In single-forest and environments and where the account is never moved between forests, then objectGUID is a good candidate. If the user is moved between forests or domains, then an alternative attribute must be selected.

The userPrincipalName attribute is the user’s login ID in Azure AD. By default the userPrincipalName attribute in ADDS is used. If this attribute is not routable or not suitable as the login ID a different attribute, such as mail, can be selected in the installation guide.

 

Optional featuresIf you have an Exchange hybrid deployment, then select this checkbox. This will write-back some attributes from Exchange online to the on-premises Active Directory.Password write-back is an Azure Active Directory Premium feature. For more information on how to configure this, please see http://blogs.technet.com/b/ad/archive/2014/04/29/deep-dive-password-reset-with-on-premise-sync-in-azure-ad-premium.aspx.

If you want to review or limit the attributes which are synchronized with Azure AD, then select Azure AD app and attribute filtering. You will then get two additional pages in the wizard.

For more information about password synchronization, see Implement password synchronization with Azure Active Directory Sync

 

Azure AD appsIf you want to limit which attributes to synchronize to Azure AD, then start by selecting which services you are using, If you configure this page, any new service has to be selected explicitly by re-running the installation guide.

 

Azure AD attributesBased on the services selected in the previous step, this page will show all attributes which will be synchronized. This list is a combination of all object types being synchronized. If there are some particular attributes you need to not synchronize, you can unselect those. In the picture above the extensionAttributes and homePhone has been unselected and will not synchronize to Azure AD.

 

Ready to configureThis page provides you with summary of your configuration. You should carefully review this summary before you proceed with the next page.If this step fails with an “Unable to communicate with the Windows Azure Active Directory service” error and you have a proxy server configured, you should add proxy settings to the “machine.config” file of your Azure AD Sync computer.
For more details, see <proxy> Element (Network Settings).

 

FinishedA default configuration has now been created and if you are ready to start synchronizing, then click Finish.
If you need to make some additional configuration before you start synchronization, then unselect the Synchronize now checkbox before you click Finish. This will create a disabled task in task scheduler. When you are done with your configuration, start the periodic synchronization by enabling this task.

 

 

After completing uncheck the synchronize now option.

Run a full Sync using C:Program FilesMicrosoft Azure AD SyncBin>DirectorySyncClientCmd.exe initial

Sync Successful

Azure AD Full Synchronization

We’ve a utility called DirectorySyncClientCmd.exe which executes the sequence of actions to synchronize on prem identities with office 365.

To run a full synchronization browse to “C:Program FilesMicrosoft Azure AD SyncBinDirectorySyncClientCmd.exe initial

It’s recommended that you perform a full synchronization after making a major change in your Azure AD Sync configuration like enabling password synchronization for user.

Azure AD Delta Synchronization

To perform the delta synchronization with Office 365, we need the same executable to perform delta synchronization of users from on prem to office 365. By default Azure AD Sync tool performs delta sync after every 3 hours. Later in this article we’ll learn on how we can change the default sync time of the tool.

C:Program FilesMicrosoft Azure AD SyncBinDirectorySyncClientCmd.exe delta

Important Monitoring  Event viewer ID  from Azure ADSync server

ADSYnc

Here Event ID 31005 onboarding completed means success

Another event ID -656 which is for the user password change request

Another event ID – 31007, this is for the Change password Success

Another event ID- 31002, this is for the password reset success.

After the Success configuration we need to  configure in Azure AD Portal

Login to Azure AD Portal you should have Enterprise mobility suite for enabling the Password reset option.

Azure Active Directory editions

Microsft tech net Blog

Azure Active Directory is a service that provides comprehensive identity and access management capabilities in the cloud. It combines directory services, advanced identity governance, application access management and a rich standards-based platform for developers. For more information, see this video.

Built on top of a large set of free capabilities in Microsoft Azure Active Directory, Azure Active Directory Premium and Basic editions provide a set of more advanced features to empower enterprises with more demanding identity and access management needs. For the pricing options for these editions, see Azure Active Directory Pricing. When you subscribe to Azure, you get your choice of the following free and paid editions of Azure Active Directory:

  • Free – With the Free edition of Azure Active Directory, you can manage user accounts, synchronize with on-premises directories, get single sign on across Azure, Office 365, and thousands of popular SaaS applications like Salesforce, Workday, Concur, DocuSign, Google Apps, Box, ServiceNow, Dropbox, and more.
  • Basic – Azure Active Directory Basic edition provides application access and self-service identity management requirements for task workers with cloud-first needs. With the Basic edition of Azure Active Directory, you get all the capabilities that Azure Active Directory Free has to offer, plus group-based access management, self-service password reset for cloud applications, Azure Active Directory application proxy (to publish on-premises web applications using Azure Active Directory), customizable environment for launching enterprise and consumer cloud applications, and an enterprise-level SLA of 99.9 percent uptime.An administrator with Azure Active Directory Basic edition can also activate an Azure Active Directory Premium trial.
  • Premium – With the Premium edition of Azure Active Directory, you get all of the capabilities that he Azure Active Directory Free and Basic editions have to offer, plus additional feature-rich enterprise-level identity management capabilities explained below.

Azure Active Directory Premium and Azure Active Directory Basic are not currently supported in China. Please contact us at the Azure Active Directory Forum for more

Azure Active Directory editions

Published: November 21, 2013

Updated: May 5, 2015

Applies To: Azure, Azure Active Directory, Office 365

Azure Active Directory is a service that provides comprehensive identity and access management capabilities in the cloud. It combines directory services, advanced identity governance, application access management and a rich standards-based platform for developers. For more information, see this video.

Built on top of a large set of free capabilities in Microsoft Azure Active Directory, Azure Active Directory Premium and Basic editions provide a set of more advanced features to empower enterprises with more demanding identity and access management needs. For the pricing options for these editions, see Azure Active Directory Pricing. When you subscribe to Azure, you get your choice of the following free and paid editions of Azure Active Directory:

  • Free – With the Free edition of Azure Active Directory, you can manage user accounts, synchronize with on-premises directories, get single sign on across Azure, Office 365, and thousands of popular SaaS applications like Salesforce, Workday, Concur, DocuSign, Google Apps, Box, ServiceNow, Dropbox, and more.
  • Basic – Azure Active Directory Basic edition provides application access and self-service identity management requirements for task workers with cloud-first needs. With the Basic edition of Azure Active Directory, you get all the capabilities that Azure Active Directory Free has to offer, plus group-based access management, self-service password reset for cloud applications, Azure Active Directory application proxy (to publish on-premises web applications using Azure Active Directory), customizable environment for launching enterprise and consumer cloud applications, and an enterprise-level SLA of 99.9 percent uptime.An administrator with Azure Active Directory Basic edition can also activate an Azure Active Directory Premium trial.
  • Premium – With the Premium edition of Azure Active Directory, you get all of the capabilities that he Azure Active Directory Free and Basic editions have to offer, plus additional feature-rich enterprise-level identity management capabilities explained below.

To sign up and start using Active Directory Premium today, see Getting started with Azure Active Directory Premium.

noteNote
Azure Active Directory Premium and Azure Active Directory Basic are not currently supported in China. Please contact us at the Azure Active Directory Forum for more information.

Active Directory Basic edition is a paid offering of Azure Active Directory and includes all of the features of the Free edition plus the following features:

  • Company branding – To make the end user experience even better, you can add your company logo and color schemes to your organization’s Sign In and Access Panel pages. Once you’ve added your logo, you also have the option to add localized versions of the logo for different languages and locales.For more information, see Add company branding to your Sign In and Access Panel pages.
  • Group-based application access – Use groups to provision users and assign user access in bulk to thousands of SaaS applications. These groups can either be created solely in the cloud or you can leverage existing groups that have been synced in from your on-premises Active Directory.For more information, see Assign access for a group to a SaaS application in Azure AD.
  • Self-service password reset – Azure has always allowed directory administrators to reset passwords. With Azure Active Directory Basic, you can now reduce helpdesk calls when your users forget a password by giving all users in your directory the capability to reset their password, using the same sign in experience they have for Office 365.For more information, see Password Management in Azure AD.
  • Enterprise SLA of 99.9% – We guarantee at least 99.9% availability of the Azure Active Directory Basic service.
  • Azure Active Directory Application Proxy – Give your employees secure access to on-premises applications like SharePoint and Exchange/OWA from the cloud using Azure Active Directory.

Active Directory Premium edition is a paid offering of Azure Active Directory and includes all of the features of the Free and Basic editions plus the following features:

  • Self-service group management – Azure Active Directory Premium simplifies day-to-day administration of groups by enabling users to create groups, request access to other groups, delegate group ownership so others can approve requests and maintain their group’s memberships.For more information, see Self-service group management for users in Azure AD.
  • Advanced security reports and alerts – Monitor and protect access to your cloud applications by viewing detailed logs showing more advanced anomalies and inconsistent access pattern reports. Advanced reports are machine learning-based and can help you gain new insights to improve access security and respond to potential threats.For more information, see View your access and usage reports.
  • Multi-Factor Authentication – Multi-Factor Authentication is now included with Premium and can help you to secure access to on-premises applications (VPN, RADIUS, etc.), Azure, Microsoft Online Services like Office 365 and Dynamics CRM Online, and thousands of Non-MS Cloud services preintegrated with Azure Active Directory. Simply enable Multi-Factor Authentication for Azure Active Directory identities, and users will be prompted to set up additional verification the next time they sign in.For more information, see Adding Multi-Factor Authentication to Azure Active Directory.
  • Microsoft Identity Manager (MIM) – Premium comes with the option to grant rights to use a MIM server (and CALs) in your on-premises network to support any combination of Hybrid Identity solutions. This is a great option if you have a variation of on-premises directories and databases that you want to sync directly to Azure Active Directory. There is no limit on the number of FIM servers you can use, however, MIM CALs are granted based on the allocation of an Azure Active Directory premium user license.For more information, see Deploy MIM 2010 R2.
  • Enterprise SLA of 99.9% – We guarantee at least 99.9% availability of the Azure Active Directory Premium service.For more information, see Active Directory Premium SLA.
  • Password reset with write-back – self-service password reset can be written back to on-premises directories.

Azure Active Directory Basic and Azure Active Directory Premium have more advanced capabilities to help streamline enterprise-level administrative tasks and make an administrator’s life easier. The following table describes common admin benefits and how signing up for Azure Active Directory Basic or Azure Active Directory Premium help simplify them.

Features Free edition Basic edition Premium edition
Common features Directory as a service        Checklist
Up to 500K objects1
        Checklist
No object limit
        Checklist
No object limit
User and group management using UI or Windows PowerShell cmdlets        Checklist         Checklist         Checklist
Device registration        Checklist         Checklist         Checklist
Access Panel portal for SSO-based user access to SaaS and custom applications        Checklist
Up to 10 apps per user2
       Checklist
Up to 10 apps per user2
        Checklist
No app limit
User-based application access management and provisioning        Checklist         Checklist         Checklist
Self-service password change for cloud users        Checklist         Checklist         Checklist
Directory synchronization tool – For syncing between on-premises Active Directory and Azure Active Directory        Checklist         Checklist         Checklist
Standard security reports        Checklist         Checklist         Checklist
Premium and Basic features High availability SLA uptime (99.9%)         Checklist         Checklist
Group-based application access management and provisioning         Checklist         Checklist
Customization of company logo and colors to the Sign In and Access Panel pages         Checklist         Checklist
Self-service password reset for cloud users         Checklist         Checklist
Application Proxy: Secure Remote Access and SSO to on-premises web applications         Checklist         Checklist
Premium-only feature Self-service group management for cloud users         Checklist
Self-service password reset with on-premises write-back         Checklist
Microsoft Identity Manager (MIM) server licenses – For syncing between on-premises databases and/or directories and Azure Active Directory         Checklist
Advanced anomaly security reports (machine learning-based)         Checklist
Cloud app discovery         Checklist
Advanced application usage reporting         Checklist
Multi-Factor Authentication service for cloud users         Checklist
Multi-Factor Authentication server for on-premises users         Checklist

1 The 500k object limit does not apply for Office 365, Windows Intune or any other Microsoft online service that relies on Azure Active Directory for directory services.

2 With Azure Active Directory Free and Azure Active Directory Basic, end users who have been assigned access to each SaaS app, can see up to 10 apps in their Access Panel and get SSO access to them (assuming they have first been configured with SSO by the admin). Admins can configure SSO and assign user access to as many SaaS apps as they want with Free, however end users will only see 10 apps in their Access Panel at a time.

The following features are currently in public preview and will be added soon:

  • Administrative units: a new Azure Active Directory container of resources that can be used for delegating administrative permissions over subsets of users and applying policies to a subset of users.
  • Add your own SaaS applications to Azure Active Directory.
  • Azure Active Directory Connect Health: monitor the health of your on premises Active Directory infrastructure and get usage analytics.
  • Password rollover for Facebook, Twitter, and LinkedIn. For more information, read this article.
  • Dynamic group membership. For more information, see this article.
  • Conditional Access: Multifactor Authentication per application.
  • HR application integration: Workday
  • Privileged Identity Management: Privileged identity management provides improved oversight to help meet service level agreements and regulatory compliance requirements.
  • Self-service application requests: Administrators can provide a list of SaaS apps to users from which so that users can choose the ones they want to use, and the apps either will be available immediately or after approval.
  • Azure reporting API: data for every security report of Azure Active Directory will be available to other monitoring or SIEM tools.

To configure user password reset policy, complete the following steps:

  1. Open a browser of your choice and go to the Azure Management Portal.
  2. In the Azure Management Portal, find the Active Directory extension on the navigation bar on the left hand side.password reset for users
  3. Under the Directory tab, click the directory in which you want to configure the user password reset policy, for example, Wingtip Toys.password reset for users
  4. Click the Configure tab.password reset for users
  5. Under the Configure tab, scroll down to the user password reset policy section. This is where you configure every aspect of user password reset policy for a given directory. This policy applies only to end users in your organization, not administrators. For security reasons, Microsoft controls the password reset policy for administrators. If you do not see this section, make sure that you have signed up for the Azure Active Directory Premium and Basic and assigned a license to the administrator account that is configuring this feature.password reset for users
  6. To configure the user password reset policy, slide the users enabled for password reset toggle to the yes setting. This reveals several more controls which enable you to configure how this feature works in your directory. Feel free to customize password reset as you see fit. If you’d like to learn more about what each of the password reset policy controls does, please see Self-service password reset in Azure AD: how to customize password reset to meet your needs.password reset for users
  7. After configuring user password reset policy as desired for your tenant, click the Save button at the bottom of the screen.
    noteNote
    A two challenge user password reset policy is recommended so that you can see how the functionality works in the most complex case.

    password reset for users

You have several options on how to specify data for users in your organization to be used for password reset.

  • Edit users in the Azure Management Portal or the Office 365 Management Portal
  • Use AADSync to synchronize user properties into Azure AD from an on-premises Active Directory domain
  • Use Windows PowerShell to edit user properties
  • Allow users to register their own data by guiding them to the registration portal at http://aka.ms/ssprsetup
  • Require users to register for password reset when they sign in to the Access Panel at http://myapps.microsoft.com by setting the Require users to register SSPR configuration option to Yes.

The following table outlines where and how this data is used during password reset and is designed to help you decide which of the above methods you want to use. This table also shows any formatting requirements for cases where you are providing data on behalf of users from input paths that do not validate this data.

  1. In order to use the password reset registration portal, you must provide the users in your organization with a link to this page (http://aka.ms/ssprsetup) or turn on the option to require users to register automatically. Once they click this link, they are asked to sign in with their organizational account. After doing so, they see the following page:password reset for users
  2. Here, users can provide and verify their mobile phone or alternate email address. This is what verifying a mobile phone looks like.password reset for users
  3. After a user specifies this information, the page will update to indicate that the information is valid (it has been obfuscated below). By clicking the finish or cancel buttons, the user will be brought to the Access Panel.password reset for users
  4. Once a user verifies both of these pieces of information, his or her profile will be updated with the data he or she provided. In this example, the Office Phone number has been specified manually, so the user can also use that as a contact method for resetting his or her password.password reset for users

Now that you’ve configured a user reset policy and specified contact details for your user, this user can perform a self-service password reset.

  1. If you go to a site like portal.microsoftonline.com, you’ll see a login screen like the below. Click the “can’t access your account” link to test the password reset UI.password reset for users
  2. After clicking “can’t access your account”, you are brought to a new page which will ask for a user ID for which you wish to reset a password. Enter your test user ID here, pass the captcha, and click “next”.password reset for users
  3. Since the user has specified an office phone, mobile phone, and alternate email in this case, you see that he has been given all of those as options to pass the first challenge.password reset for users
  4. In this case, choose to call the office phone first. Note that when selecting a phone-based method, users will be asked to verify their phone number before they can reset their passwords. This is to prevent malicious individuals from spamming phone numbers of users in your organization.password reset for users
  5. Once the user confirms their phone number, clicking call wall cause a spinner to appear and his or her phone to ring. A message will play once he or she picks up your phone indicating that the user should press “#” to verify his or her account. Pressing this key will automatically verify that the user possesses the first challenge and advance the UI to the second verification step.password reset for users
  6. Once you’ve passed the first challenge, the UI is automatically updated to remove it from the list of choices the user has. In this case, because you used your Office Phone first, only Mobile Phone and Alternate Email remain as valid options to use as the challenge for the second verification step. Click on the Email my alternate email option. After you have done that, pressing email will email the alternate email on file.password reset for users
  7. Here is a sample of an email that users will see – notice the tenant branding:password reset for users
  8. Once the email arrives, the page will update, and you’ll be able to enter the verification found in the email in the input box shown below. After a proper code is entered, the next button lights up, and you are able to pass through the second verification step.password reset for users
  9. Once you’ve met the requirements of the organizational policy, you are allowed to choose a new password. The password is validated based it meets AAD “strong” password requirements (Password policy in Azure AD), and a strength validator appears to indicate to the user whether the password entered meets that policy.password reset for users
  10. Once you provide matching passwords that meet the organizational policy, your password is reset and you can log in with your new password immediately.password reset for users

To reset the password use direct link

https://passwordreset.microsoftonline.com

Blogs followed

Self-service password reset in Azure AD: how to customize password reset to meet your needs

Directory Integration Tools

FAQ/Troubleshooting for Azure AD password management

Self-service password reset in Azure AD: how to enable, configure, and test self-service password reset

Password writeback: how to configure Azure AD to manage on-premises passwords

FAQ/Troubleshooting for Azure AD password management

Self-service password reset in Azure AD: deployment and management best practices

 

 

 

 

 

 

 

 

 

Advertisements