Is SSPR required for Password Writeback? - azure-active-directory

The docs seem to indicate that Self-Service Password Reset is required for password writeback, but do you need to enable SSPR for any users?
My goal is to allow logged in users to change their own passwords within AAD and then for the new password to be written back to ADDS via ADConnect.
But we don't want to enable SSPR and allow 'unauthenticated' users to change their passwords.
So I'm thinking I can just not add any users/groups to the SSPR-enabled setting but the password writeback should still work for all other users?

In contrary to what you said, Password writeback is the requirement to use SSPR. If you can provide the document you are referring, i can possibly have a look.
For the requirement that you have, you will have to enable password writeback in AD Connect and then configure SSPR. Under SSPR options, you can add a group and only members of that group would be able to reset the password.
As for the rest of the synced users in your AAD tenant, only the admin will be able to reset the password for them. The users will not be able to reset their password themselves.
Let me know if this helps.

Related

Disable Azure AD MFA Interrupt Mode for a group of users

I'm creating a set of hands-on lab users in my Azure AD for access to Azure Labs. We will reuse these user accounts (and reset the passwords after every lab session).
My challenge is that these users are being required to configure MFA. Which I THINK is called the Azure AD Interrupt Mode described here.
Is there a way to exclude these group of users from being required to set this up?
I think this can be disabled entirely by navigating to Azure AD - Default Directory - Properties - Manage Security Defaults (right at the bottom of the page) - Enable Security Defaults - set it to No.
If it's per user basis, then Navigate to Azure AD - All users - Per User MFA - this will list all the users and then you can select "n" number of them to either enable or disable MFA.
// Answering my own question and hope it helps someone.
The first and obvious step is to disable MFA. This is described in this link: https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
After this, however, you may still face the interrupt wizard as shared in the screenshot of the question above. This is due to Self-Service Password Reset (SSPR) being enabled. If SSPR is enabled, then MFA is still required for them to be able to do a password reset.
Solution 1: If you want SSPR enabled, then create a Conditional Access policy requiring MFA upon sign in.
This way, MFA is only triggered when user wants to do an SSPR.
For this lab user scenario, you will still have to set-up MFA one-time for each of the users (you may use the same contact details).
Extra note: I tried setting the MFA details by bulk using PowerShell. However, it is not possible to set an MSOL user object's StrongAuthenticationUserDetails property.
Solution 2: Disable SSPR or limit to selected users using AD groups
Don't include the lab users in the selected users group. Since SSPR is not allowed for these users, the extra MFA details won't be asked of these users anymore.
Drawback: The setting is to include user groups which should have SSPR. There's no option to exclude just the lab users.
Solution 2 works for me but may not work for everyone.

How do you log into an account in Active Directory that doesn't have a password set?

I'm doing some InfoSec testing and I've discovered some accounts that don't have a password set.
I'm wondering if there is a way to can log into these accounts. I know that for these accounts, their password will be required to be reset upon login, but I'm not sure how to log in. Any ideas?
It might help if you tell us how you determined that they don't have a password set. But if that truly is the case, then there are only two possibilities:
The accounts are disabled. This might happen if the accounts are created via automation. Creating accounts has to be done in two steps: create the account (which is created disabled), then set the password and enable it. You can't enable it without setting a password.
The accounts have the ADS_UF_PASSWD_NOTREQD flag set in the userAccountControl attribute. This means the account can be enabled with no password and you can login with such an account by just not putting anything as the password. You can read more about this here if you'd like.

Not able to add new user in VSTS

I am added to project collection administrator group in VSTS. Still not able to add a new user. I am added using my official email ID i.e. Microsoft work account.
Its says
Guest users are not allowed to perform this action.
I saw the reason on this link
I believe the primary reason for this error is because when a co-admin
with Microsoft account is added to a subscription, it gets added into
the subscription AD as Guest user type.
but since it is very old thread i like to know if there is an easy way to get myself ability to add new user or basically manage VSTS on behalf of client. I hate requesting client to add a new user in team. Also he is not tech savvy so I would like suggest him a simple solution (running Powershell might be annoying for him).
You are inviting users from outside directory. The user will be able to access the account and its resources, so you need the enough permission to add new user to the AD, but you are the Guest user, so it throws Guest Users are not allowed to perform this action.
You need to contact to the corresponding user (e.g. AD admin) to add users to AD or grant the enough role and permission to you to add user to AD.
No easy way to do this, because it is related to security.

Azure Active Directory: Is Guest only for B2B?

In AAD, one could
add new Users to the same Domain
add Guests:
from other AAD Tenancies, passing through credential verification to the other Tenancy
from Microsoft Account users, passing through credential checking to live.com
But I'm noticing today although it still accepts to invite MA users, when they sign in, they are asked to create a Password.
From then on, they are shown the usual "Do you want to use your personal account or org/school account".
Is this a new change?
Should be no longer be inviting personal accounts, and stick to only inviting users within other Tenancies (so they don't get asked whether to use Pers/Work account when signing in)?
What happens when they create a company around their own email...will they be able to wrest back resolution of the credentials -- or will it always stay with the first tenant that imported a personal account!?
Thanks for help understanding how this aspect of Azure AD works.

LDAP bind as a user without password?

We have a forgot password system that allows a user to create a new password. It is going against Active Directory over LDAPS. Right now once a user goes to create a new password, we have to bind as an admin, change the password to a random string, then bind to the user account with that random string, then change the password to the one they provided. We do this because we have a password history policy of the last 5 used passwords.
This works fine now but the password history has the random strings as one of the previous passwords. Is there any way to bind with a user but without a password? The user would be authenticated before this by a security question.
I do it a different way. I create a dynamic object under the user's entry, expiring in a few days, with a generated uid attribute; send them a link containing that uid; that leads to the change password page, but logged in via a different LoginModule that sees the UID parameter, checks it, and if present and correct logs them in. In other words a kind of 'ticket' login.
The code that did the lookup bound/reconnected itself as the application itself, but that didn't actually matter because the connection for logging in is closed immediately, like all other LDAP connections in the application actually. When anything is done to the user's own entry, e.g. change password, update profile, a reconnect is done as that user using the password which I have saved in the session. When the user does anything else to LDAP it is really the application doing it so an application bind/reconnect is done as above. IOW the application itself is a user (or even several different users with different levels of permission).
Because a UID is much longer than a password, and because the entry containing it expires after a day or two, all this is rather more secure than generating a temporary password and shipping it around. The change password page could also have a security question on it if reached via the ticket login.
There are two password change operations in AD - reset and change. Reset is an administrative operation (which is what you are doing here). When you do a reset, you don't need to supply the current password. Change password is an end user operation whereby the user has to supply their current password in addition to the new password.
If you change your code to do a password reset and run in the context of a user with permissions to reset passwords, you should be good to go. If you need to honor password policy during the reset, there's a way to do this as well with a special LDAP control.

Resources