Azure servicesMicrosoft Entra ID

Azure AD Self-Service password reset for Windows 7/8.1 Devices

Password resets requests are very common in any helpdesk. Azure AD self-service password reset service is allowing users to reset their passwords without IT helpdesk involvement. So far this was only supported on Windows 10 Azure AD join devices. Now with few modifications we can do the same thing with Windows 7 or Windows 8.1 devices. In this demo I am going to demonstrate how we can do self-service password reset with these non-windows 10 devices. 

This process required few prerequisites. 

1) Enable SSPR in Azure AD – We need to enable SSPR service in Azure AD first. I have explain those steps in here http://www.rebeladmin.com/2017/11/step-step-guide-reset-user-password-azure-ad-joined-windows-10-device/ 

2) Up to date Patches – Make sure the latest windows updates are applied to Windows 7/ Windows 8.1 devices. 

3) Users need to register with additional verification methods – As part enabling SSPR process, we also need to define how many methods it should use for user verifications. 

If you using multiple methods, make sure user is register with those method before use SSPR service. 

4) TLS 1.2 enabled – In Windows PC you must have TLS 1.2 enabled. It should not just set to auto negotiate. This can be done by using registry entries. 

Under HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols you will be able to see TLS 1.2 (if it is not, go ahead and create a key). under that folder there will be two sub folders called client & server. I prefer to do changes under both roles. In there we need to create a key with following values.

DisabledByDefault – DWORD value 0

5) KB 3140245 – This update is available on https://www.catalog.update.microsoft.com/search.aspx?q=kb3140245

6) Once all above steps are completed, log in to Windows 8.1 machines as administrator and download the plugin from https://aka.ms/sspraddin

7) Then double click on installation file to proceed. 

8) Once installation is done, it is ready for testing. In my demo machine, I type regular user name and then click on forgotten password option 

9) Then it opens up a new wizard, type the user id in there and click on next.

10) In next window we have to verify user identity. In my demo I am using SMS option. 

11) In next window type the code and click on next.

12) Then it is time to define new password. Type a new password and click on next

13) Now we have completed the password reset process. click on finish to exit from the wizard.

14) I go back to login screen and type the new password. as expected it allow me to log in.

Cool ha?? This marks the end of this blog post. If you have any further questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Related posts
Cyber SecurityMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide : Process Entra ID Entitlement Management Access Package on-behalf of another user (preview)

Entra ID Entitlement Management access packages enable administrators to offer a self-service…
Read more
Cyber SecurityMicrosoft Entra ID

Step-by-Step Guide: Configure Entra ID lifecycle workflow to use Custom Security Attributes

In my previous blog post, I explained how to use Entra ID lifecycle workflow to trigger actions…
Read more
Azure servicesMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide: Configure Entra ID lifecycle workflow to trigger mover task on user profile changes

The Entra ID lifecycle workflow is a feature of Microsoft Entra ID identity governance and Microsoft…
Read more
Newsletter
Become a Trendsetter

Sign up and get the best of RebelAdmin, tailored for you.

Leave a Reply

Your email address will not be published. Required fields are marked *