WEBVTT 0:00:02.880000 --> 0:00:08.900000 In this video, we're going to take a look at self-service password reset. 0:00:08.900000 --> 0:00:12.320000 Now I'm going to assume that most people are pretty familiar with self 0:00:12.320000 --> 0:00:14.280000 -service password reset. 0:00:14.280000 --> 0:00:24.360000 It is a pretty simple and really self -defining concept, self-explaining 0:00:24.360000 --> 0:00:28.980000 concept. And the idea is that somebody has forgotten their password, you 0:00:28.980000 --> 0:00:32.140000 have forgotten your password, and you want to secure way of resetting 0:00:32.140000 --> 0:00:35.520000 that password without having to contact system administrator. 0:00:35.520000 --> 0:00:38.640000 And that's really what self -service password reset does. 0:00:38.640000 --> 0:00:42.160000 Now let's take a look at the topics that we're going to cover. 0:00:42.160000 --> 0:00:46.340000 We're going to take a look at the basic self-service password reset concepts 0:00:46.340000 --> 0:00:48.880000 within Azure AD. 0:00:48.880000 --> 0:00:52.840000 And then I'm just going to demonstrate the configuration and implementation 0:00:52.840000 --> 0:00:56.340000 of self-service password reset. 0:00:56.340000 --> 0:01:01.680000 Let's dive right into some concepts. 0:01:01.680000 --> 0:01:03.060000 Pretty straightforward. 0:01:03.060000 --> 0:01:05.800000 First thing, want to understand the licensing. 0:01:05.800000 --> 0:01:11.080000 Self-service password reset is available pretty much for any licensing 0:01:11.080000 --> 0:01:14.160000 level of Azure AD other than free. 0:01:14.160000 --> 0:01:20.940000 So basic premium P1, premium P2, and also Office 365 business. 0:01:20.940000 --> 0:01:26.200000 Now, if you're going to use self-service password reset with write back, 0:01:26.200000 --> 0:01:31.660000 then you need at least Azure AD premium P1. 0:01:31.660000 --> 0:01:36.300000 Obviously P2 will work so well, Office 365 business. 0:01:36.300000 --> 0:01:39.920000 So just make sure that you've got the licensing to implement this the 0:01:39.920000 --> 0:01:41.920000 way that you wish. 0:01:41.920000 --> 0:01:43.620000 Now the options. 0:01:43.620000 --> 0:01:46.120000 So I want to reset my password. 0:01:46.120000 --> 0:01:48.520000 It's not going to just assume that I am who I am. 0:01:48.520000 --> 0:01:52.900000 I need some way of presenting my credentials. 0:01:52.900000 --> 0:01:55.540000 And these are the different ways that you can do it. 0:01:55.540000 --> 0:01:56.900000 There's mobile apps. 0:01:56.900000 --> 0:02:01.400000 There's the Microsoft Authenticator app, which is cross-platform. 0:02:01.400000 --> 0:02:03.680000 You can also get a notification. 0:02:03.680000 --> 0:02:05.860000 You can, as you see, you can have an email. 0:02:05.860000 --> 0:02:07.460000 You can get a mobile phone. 0:02:07.460000 --> 0:02:09.400000 You can get an office phone. 0:02:09.400000 --> 0:02:12.080000 You can also have security questions. 0:02:12.080000 --> 0:02:20.020000 Now you'll notice that the mobile phone and office phone have an asterisk. 0:02:20.020000 --> 0:02:26.220000 They're not available if you have an Azure free or trial account. 0:02:26.220000 --> 0:02:32.860000 Now policies, now it shows up there, policies, there's something called 0:02:32.860000 --> 0:02:36.820000 a two-gate policy for administrator roles. 0:02:36.820000 --> 0:02:43.600000 And what that means is that you have to have two different really forms 0:02:43.600000 --> 0:02:50.360000 of identification and you can't have phone calls as one of them. 0:02:50.360000 --> 0:02:54.500000 And the cloud user accounts are really all the standard account options. 0:02:54.500000 --> 0:02:57.220000 So it's really not so much a policy there. 0:02:57.220000 --> 0:03:05.100000 Let's go ahead and take a look at implementing self-service password reset. 0:03:05.100000 --> 0:03:14.200000 I am in the Azure AD tenant blade for my AZ300.2 tenant. 0:03:14.200000 --> 0:03:16.820000 And you can see I've already navigated to the password reset. 0:03:16.820000 --> 0:03:19.000000 I probably should go back for a moment. 0:03:19.000000 --> 0:03:24.560000 I can simply go to password reset and then I come up here and I can set. 0:03:24.560000 --> 0:03:27.020000 Right now I'm not allowing any password reset. 0:03:27.020000 --> 0:03:29.740000 What I'm going to do is I'm going to allow everyone. 0:03:29.740000 --> 0:03:33.160000 You obviously can select particular groups. 0:03:33.160000 --> 0:03:35.120000 We'll go ahead and say everybody. 0:03:35.120000 --> 0:03:36.620000 And I'm going to save that. 0:03:36.620000 --> 0:03:41.160000 Now what I need to do is I need to go ahead and set up my authentication 0:03:41.160000 --> 0:03:50.540000 methods. So how many methods are going to be required to reset the password? 0:03:50.540000 --> 0:03:51.860000 I can choose one or two. 0:03:51.860000 --> 0:03:57.220000 And then I have the options of which ones I'm going to allow. 0:03:57.220000 --> 0:04:03.620000 We'll have a mobile app, email, mobile phone, and security questions. 0:04:03.620000 --> 0:04:07.420000 Now if you have security questions, users are going to have to supply 0:04:07.420000 --> 0:04:10.500000 between three and five questions and they're going to have to answer between 0:04:10.500000 --> 0:04:12.100000 three and five questions. 0:04:12.100000 --> 0:04:14.400000 And you can see how that's set up. 0:04:14.400000 --> 0:04:17.200000 Now the security questions you use are up to you. 0:04:17.200000 --> 0:04:21.960000 You can create your own custom security questions or I can go with predefined 0:04:21.960000 --> 0:04:22.800000 security questions. 0:04:22.800000 --> 0:04:29.620000 And I'm going to go with these five carefully selected security questions. 0:04:29.620000 --> 0:04:31.880000 And there we go. 0:04:31.880000 --> 0:04:36.280000 I've got my security questions and now I'm going to just hit OK. 0:04:36.280000 --> 0:04:40.560000 That's set up. Next thing that I want to do is I'm going to go ahead. 0:04:40.560000 --> 0:04:41.900000 Oh, I need to save that. 0:04:41.900000 --> 0:04:44.680000 Good thing it told me is save those changes. 0:04:44.680000 --> 0:04:46.580000 That is kind of important. 0:04:46.580000 --> 0:04:53.340000 All right. Now the next thing that I want to do is define registration. 0:04:53.340000 --> 0:04:56.220000 All right. Require users to register when signing in. 0:04:56.220000 --> 0:04:57.080000 I can require that. 0:04:57.080000 --> 0:05:01.700000 If I require that, what that means is that you basically have to set up 0:05:01.700000 --> 0:05:03.860000 your self-service password reset. 0:05:03.860000 --> 0:05:05.480000 And I'll go ahead and leave that. 0:05:05.480000 --> 0:05:09.640000 Notifications. I can notify users when their password is reset. 0:05:09.640000 --> 0:05:10.700000 That's a good idea. 0:05:10.700000 --> 0:05:15.860000 I can also notify all admins when another admin resets their password. 0:05:15.860000 --> 0:05:17.980000 Also, a good idea. 0:05:17.980000 --> 0:05:20.800000 I can go to customization. 0:05:20.800000 --> 0:05:23.900000 Now there's not massive customization, but I can put in a custom help 0:05:23.900000 --> 0:05:25.860000 desk link. And that could be very useful. 0:05:25.860000 --> 0:05:27.380000 Somebody's really not sure what they're doing. 0:05:27.380000 --> 0:05:28.120000 They click that. 0:05:28.120000 --> 0:05:29.400000 They just need help. 0:05:29.400000 --> 0:05:32.540000 You could always give them a link into your help desk system. 0:05:32.540000 --> 0:05:37.560000 And finally, on-premises integration, which is going to tell me that I 0:05:37.560000 --> 0:05:40.780000 don't have right back right now because I did not turn that on. 0:05:40.780000 --> 0:05:43.080000 In fact, I don't have an on-prem system. 0:05:43.080000 --> 0:05:48.260000 But if I did, I could allow right back. 0:05:48.260000 --> 0:05:51.560000 So if someone resets their password in Azure AD, that's going to reset 0:05:51.560000 --> 0:05:56.520000 their password back in active directory on-premises, which is actually 0:05:56.520000 --> 0:05:59.800000 really pretty cool because there's no built-in password reset. 0:05:59.800000 --> 0:06:03.860000 Self-service password reset capability built-in to Azure AD. 0:06:03.860000 --> 0:06:07.500000 And this would allow you to really affect that not only for cloud applications, 0:06:07.500000 --> 0:06:10.560000 but also for on-prem. 0:06:10.560000 --> 0:06:13.780000 So that is the password reset. 0:06:13.780000 --> 0:06:16.500000 It's set up and I'm allowing anyone to use it. 0:06:16.500000 --> 0:06:21.800000 So what I'm going to do is I am going to go ahead and open up another 0:06:21.800000 --> 0:06:26.260000 window. And I'm going to log in as one of my users. 0:06:26.260000 --> 0:06:32.380000 I'm going to go to my apps.marshoff .com, which is really my portal into 0:06:32.380000 --> 0:06:38.500000 all of my applications that are associated with Azure AD. 0:06:38.500000 --> 0:06:40.960000 And I'm going to log in as one of my users. 0:06:40.960000 --> 0:06:43.080000 Let's go in as Bob. 0:06:43.080000 --> 0:06:53.240000 And Bob should be in. 0:06:53.240000 --> 0:07:02.560000 And now what I'm going to do, not there, here. 0:07:02.560000 --> 0:07:06.300000 Go under Bob and I'm going to go to profile. 0:07:06.300000 --> 0:07:13.340000 And under profile, I am going to set up self-service password reset. 0:07:13.340000 --> 0:07:15.660000 Notice I can also change the password. 0:07:15.660000 --> 0:07:18.940000 Those are two completely different options, changing the password is available 0:07:18.940000 --> 0:07:23.840000 for all license tiers, including free within Azure AD. 0:07:23.840000 --> 0:07:27.620000 But again, self-service password reset is not available for the free version 0:07:27.620000 --> 0:07:32.600000 of Azure AD. All right, so now it's telling me, okay, you want to set 0:07:32.600000 --> 0:07:34.300000 this up. Clearly you don't have it set up. 0:07:34.300000 --> 0:07:36.840000 So I need to set up an authentication phone. 0:07:36.840000 --> 0:07:38.720000 So I'll set that up. 0:07:38.720000 --> 0:07:50.540000 Please don't spam my phone. 0:07:50.540000 --> 0:07:54.960000 And it's texting me. 0:07:54.960000 --> 0:07:58.940000 At this point, I'm really just going through the process of waiting for 0:07:58.940000 --> 0:08:02.940000 this to come through on my, hopefully it's going to come through on my 0:08:02.940000 --> 0:08:06.280000 watch. That's just kind of fun. 0:08:06.280000 --> 0:08:14.540000 There we go. 992. 0:08:14.540000 --> 0:08:17.680000 505. Verify that. 0:08:17.680000 --> 0:08:25.800000 All right, and then I have to set up an email. 0:08:25.800000 --> 0:08:36.160000 To my email. Again, please don't spam me. 0:08:36.160000 --> 0:08:44.940000 You're welcome to send questions, but now I need to get that. 0:08:44.940000 --> 0:08:49.580000 Already came in here. 0:08:49.580000 --> 0:08:59.220000 780. Verify that. 0:08:59.220000 --> 0:09:02.080000 And now I need my security questions. 0:09:02.080000 --> 0:09:05.420000 All right, so security question one. 0:09:05.420000 --> 0:09:11.680000 City that I met my spouse will say city because otherwise I won't remember 0:09:11.680000 --> 0:09:17.180000 these things. Actually, we'll say spouse. 0:09:17.180000 --> 0:09:21.420000 And we'll say parents. 0:09:21.420000 --> 0:09:37.820000 Very sneaky siblings questions or answers I have here. 0:09:37.820000 --> 0:09:41.700000 Father. And job. 0:09:41.700000 --> 0:09:45.920000 And I'm going to save the answers. 0:09:45.920000 --> 0:09:55.140000 And I am now ready for self service password reset. 0:09:55.140000 --> 0:09:59.560000 All right, and let's go ahead and I'm going to actually close this out 0:09:59.560000 --> 0:10:03.340000 and we'll just open it back up and head back in there. 0:10:03.340000 --> 0:10:17.100000 Bob again. There's some little bit of latency on my end right now. 0:10:17.100000 --> 0:10:23.160000 Go with Bob at hyney.com. 0:10:23.160000 --> 0:10:31.700000 And notice down here I can go, oh, I forgot my password. 0:10:31.700000 --> 0:10:35.440000 Okay, and it's going to ask me for my user ID here. 0:10:35.440000 --> 0:10:41.220000 So this is now the user experience. 0:10:41.220000 --> 0:10:54.360000 Oh, good grief. I hate these things. 0:10:54.360000 --> 0:10:58.920000 I'm glad third letter is a D. 0:10:58.920000 --> 0:11:05.080000 All right, so here are my options. 0:11:05.080000 --> 0:11:06.640000 I can email. I can send a text. 0:11:06.640000 --> 0:11:08.860000 I can answer my security questions. 0:11:08.860000 --> 0:11:12.380000 I'm going to just text my mobile phone. 0:11:12.380000 --> 0:11:15.620000 Now I have to match the mobile phone. 0:11:15.620000 --> 0:11:26.320000 Send that. And wait for my verification code. 0:11:26.320000 --> 0:11:40.060000 And there it goes. 0:11:40.060000 --> 0:11:54.180000 And now I can enter a new password. 0:11:54.180000 --> 0:11:59.440000 So I've now fully configured and implemented and seen the user experience 0:11:59.440000 --> 0:12:03.220000 for the password reset. 0:12:03.220000 --> 0:12:05.260000 So again, sorry, that took a little while. 0:12:05.260000 --> 0:12:07.520000 There's a few little bit of latency there. 0:12:07.520000 --> 0:12:09.160000 Normally you don't see that. 0:12:09.160000 --> 0:12:11.000000 But you get the idea. 0:12:11.000000 --> 0:12:12.540000 Very easy to set up. 0:12:12.540000 --> 0:12:16.080000 Very easy as a user to implement. 0:12:16.080000 --> 0:12:20.420000 Key things here, of course, you're going to need to define what you require 0:12:20.420000 --> 0:12:23.000000 to have a truly secure process. 0:12:23.000000 --> 0:12:28.780000 And remember, you can also limit this as to who can implement this. 0:12:28.780000 --> 0:12:30.900000 You don't have to make it all or nothing. 0:12:30.900000 --> 0:12:33.800000 You can choose groups that can implement this. 0:12:33.800000 --> 0:12:35.180000 But a really nice feature. 0:12:35.180000 --> 0:12:38.040000 If it fits into your overall architecture, you can see it's pretty easy