[MUSIC]
Grace Picking: Welcome to the Azure AD Architecture Deep
Dive Series. I’m Grace Picking and I’m a Program Manager on
the Azure AD Engineering team here at Microsoft.
Oana Enache: Hello. My name is Oana Enache and I’m also a
Program Manager on the Azure AD Engineering team.
Grace: We are part of the Customer Experience Program
and we help enterprises and businesses from all over the
world to deploy our services and get to the cloud. We get a
lot of questions about how Azure AD works behind the scenes,
so we wanted to share with you the lower level details of
our architecture with this series. In this video, we are going
to cover a deep dive into self-service password reset or SSPR.
Oana: So, grace, let’s get this show on the road. What is
Self-Service Password Reset?
Grace: Self-Service Password Reset is an Azure Active Directory
feature that enables employees to reset and change their
passwords without needing to contact IT staff. Employees
must be registered for Self-Service Password Reset before
using the service. During registration, the employee chooses
one or more alternative authentication methods enabled by
their organization.
Oana: So, what happens when a user wants to reset their
password?
Grace: So, the first step is that the user will navigate to
the password reset portal by the clicking
"can’t access your account" hyperlink included in the login
screen. In the Office 365 in Azure access portal or by
navigating to aka.ms/sspr.
Once a user has sent this request, we check a few things,
such as how should the reset page be localized? Is the user
account valid? What organization does the user belong to?
Where is the user’s password managed? And is the user
licensed to use this feature?
Once the reset workflow begins here in Step 3, the user
will have to verify ownership of their account and using the
verification steps enforced by the admin. Depending on the
verification method set, a user can then select from resetting
their password using an alternative email message, text
message, phone number, security questions, or using a
notification from the Authenticator app.
Oana: And is this the same for admin accounts?
Grace: No. Microsoft enforces a strong default two gate
password reset policy for any Azure admin role. This policy
may be different from the one that you have defined for
your users and cannot be changed. You should always test
password reset functionality as a user with any Azure admin
roles assigned.
In Step 4, following successful completion of the authorization
and authentication request per policy, the user enters a new
password. When the new password is entered, cloud
password protection gets to work. If you haven’t come
across cloud password protection before, then it will help
eliminate bad passwords in your organization by allowing
admins to enforce a Global or Custom Banned Password List
that will stop users setting passwords that are easy to guess.
Oana: What is the difference between the Microsoft Banned
Password List and the Custom List?
Grace: The Microsoft Global Banned Password List is created
by multiple sources, such as real world telemetry of password
spray attacks and cannot be changed, whereas the custom
list is configured by you to fit your organization.
In Step 5, the password will go through a series of steps to
assess its overall strength to determine if it should be
accepted or rejected.
First, the password is normalized by converting all upper
case letters to lower case and performing character
substitutions, such as dollar to S and @ to A. Then matching
of the normalized terms is carried out against the banned
password list and substrings, such as username or tenant
name. Once this is complete, the password is given a
strength score based on this algorithm, which needs to
be a minimum of five points to be accepted.
For Step 6, once Cloud Password Protection has deemed
that the password isn’t considered banned and the password
can be reset. For cloud users only, the hash of the new
password is stored in Azure Active Directory.
Oana: Having a cloud based password reset utility is
great. But most companies still have an on-prem directory
where the user exists. So, how would SSPR work for them?
Grace: If you install, configure, and enable Azure AD
Connect, then you have the option to enable password
write back. Password write back is a feature enabled with
Azure AD Connect that allows password changes in the cloud
to be written back to an existing on-premises directory in
real-time. Password write back is supported irrespective of
the hybrid authentication method that you have chosen.
If this is enabled in your environment, then after the
password has passed password protection, then it’s now the
password write back agent within your Azure Active Directory
Connect’s infrastructure’s time. What it’s going to do is make
an outbound connection and pick up the request to change
in order to publish that back to your Active Directory domain
controller.
Of course, we need to respect that the password would
need to be evaluated against any password policies
that you might have set up on your domain controllers.
So in Step 7, the password write back agent calls the
Win32 Native API to set the password against the on-prem
AD password policy to make sure that the new password
compliance with both the cloud and the on-prem password
policies.
Oana: So, what I’m taking away is, first, Self-Service
Password Reset allows users to change their password
and leverage Azure AD Password Protection to eliminate
weak passwords in the cloud and also sync this back on-
premises. Secondly, the Azure AD Connect password write
back agent should be treated as a critical service and the
infrastructure should be protected accordingly. Lastly, SSPR
allows you to harness the power of password protection to
modernize your password strategy in a way that is more
effective than traditional on-prem policies, all alongside
your existing policies in Active Directory.
Grace: Perfect.
Oana: So, how do you recommend organizations deploy
SSPR at scale?
Grace: It is important to get users registered quickly by
deploying SSPR alongside another application or service in
your organization, such as multi-factor authentication. We
are currently rolling out a new feature called combined
registration, which allows users to register their
authentication methods once and use them for both
multi-factor authentication and SSPR. To find out more
information about combined registration, go to
aka.ms/securityinfodocs.
Oana: This is really cool, as password management can
be a costly exercise for IT admin and can lead to a lack of
satisfaction and productivity for users. SSPR enables
employees to quickly get unblocked and continue working
no matter where they are at the time of the day without
having to call the help desk.
Grace: Hopefully, you are as excited as we are about
SSPR. And if you want to roll out Self-Service Password
Reset and you want to know how to deploy it, then you
can download the Azure AD deployment plans at
aka.ms/deploymentplans.
Oana: We hope you found this video useful. We will be
adding videos on different topics like authentication
provisioning, governance, and many more. If you want to
get a copy of the diagrams we used today or want to give
us feedback and help us figure out what to cover next,
follow the link in the description.
Grace: Thanks for tuning in. Don’t forget to take a look at
the rest of the videos in this series.
[MUSIC]
