I am happily notice this new feature of Windows 10 Insider preview: Recover pin and password from the lock screen.
Recover your pin and password from the lock screen: Self Service solutions empower end users, unburden helpdesk/IT admins, and save organizations money. Cloud Self Service Password Reset (Cloud SSPR) has been a really popular Azure AD Premium (AADP) feature and now we want to take this great capability one step further – Windows Integration. If you’re using an AADP or MSA account and you find yourself stuck at the login screen, you can now reset your password and PIN straight from here. Just click the “Reset password” (for password) / ”I forgot my PIN” (for PIN) link and you’ll be prompted to go through the AAD or MSA flow to reset it. Once reset, you’ll be returned to the login screen where you can login with your newly minted credentials.
In my last post "First step into Cloud", I registered Enterprise Mobility + Security E5, so I can now test Azure AD self-service password reset with Windows 10 Inside Preview.
Microsoft detail documentations can be found https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-overview
Setup Azure AD Sync
Details: Follow https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-select-installation
- Add your domain in Azure portal or Office portal
- Install one server for run Azure AD connector, join it to domain.
- Create a AD user account for Azure AD Sync.
- Install Azure AD Connector, use express settings. Open Azure AD connector again, enable password write back.
- Create an AD group name Self-service Password Reset, and add some test user in the Group
- Sync AD group to Azure
- Open https://aad.portal.azure.com
- Click Licenses
- Assign EMS license to Self-service Password Reset AD group.
Set up reset password
- Choose Password reset
- Set the following settings:
Properties: Select groups Self-Service Reset Password
Authentication methods: Choose what is suitable for you, in my case I set it use phone and email
Registration: Require users to register when signing in- Yes
Notifications: Notify users on password resets- Yes
Customization: Choose what is suitable for you
Add Company Branding
- Open https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/LoginTenantBrandingBlade
- Click on Configure.
- Add the elements you want to customize, they are optional
Open https://portal.office.com, login as user account that is member of Self-service Password Reset AD group, it force me to add additional security info.
It requires I set my phone number and email.
Windows 10 lock screen page (Azure AD joined)
When click I forgot my PIN:
Click forgot password?
Because I just created a new user in my test lab, Default Group Policy setting: Minimum Password Age is set at 1 day, that's why it didn't let me change password.
For testing purposes, I changed Default Group Policy setting: Minimum Password Age to 0 day. After that, it let me reset my password immediately.
You can also reset your password from https://passwordreset.microsoftonline.com/