support Posted April 3, 2019 Share Posted April 3, 2019 Step 1: Ensure you have prerequisites set up for your web server, as per this forum post (Once off process) Step 2: Add new Password Record configured as follows: Screen 1: Ensure you configure the below 4 options correctly and enter in the Azure AD password for the account. If you configure an Expiry Date it will automatically change the password when that date is reached. Screen 2: Select the appropriate Privileged Account. This account must have permissions to reset other accounts in Azure AD. If the user account you are resetting the passowrd for has permissions to perform account resets in Azure AD, then you do not need to set a privileged account on this screen. See bottom of this page for description of permissions required to reset passwords in Azure AD. Also confirm the Password Reset Schedule is enabled if you want the password to automatically change when the Expiry Date occurs Screen 3: Confirm the Validate Password for Active Directory Account validation script is selected Permissions: A standard user in Azure AD cannot reset their own account password, using the Powershell module Passwordstate uses. If you grant the user one of the following roles in Azure, then they will be able to reset their own password: 1. Helpdesk (Password) administrator 2. User Administrator 3. Global Administrator Helpdesk administrator is the role with the least privileges, however this will also give the user the ability to reset other Azure user passwords. If you feel these permissions are too high, then you should use a privileged account that has this Helpdesk Administrator role, and assign it on your Password record (Screen 2 above). This privileged account will perform the reset of the password on behalf of the user. To assign the Helpdesk Administrator role in Azure AD, log into the Azure AD portal as an Administrator, select Azure Active Directory -> Roles and administrators, and open the Helpdesk (password) Administrator role. Then click Add Assignment and search for the appropriate user, and save your changes. Regards, Support Link to comment Share on other sites More sharing options...
Thomas Posted May 15, 2020 Share Posted May 15, 2020 As you can't use MFA enabled accounts to reset passwords, we are looking for other solutions. The Microsoft documentation states "If multi-factor authentication is enabled for your credentials, you must log in using the interactive option or use service principal authentication". Does anyone have implemented the password reset and hearbeat functionality based on a AAD service principal and can share a few details on this? Link to comment Share on other sites More sharing options...
support Posted May 15, 2020 Author Share Posted May 15, 2020 Hi Thomas, We have not come across any customers who've been able to script resets in this manner, as MFA requires some sort of interaction to enter the OTP password. But hopefully another customer reads this and has some insights. Regards Click Studios Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now