Using AD FS To Change Your AD Password Anywhere, Anytime
One of the really annoying things about passwords is that you have to remember them. If you can’t remember your password at a SaaS provider, it’s pretty straightforward: you click on the “forgot password” link and go through the password recovery process. As is often the case, however, the corporate world is more complicated. If you have a hybrid environment where you use AD FS (Active Directory Federation Services) to provide single sign on to Azure AD for your organization, there’s a AD FS feature that will solve one of the most common scenarios: The user knows their password and must change it before they can do anything else.
Know a password, change a password
When would this happen? Usually, this is the “onboarding” scenario where a new hire is given their new corporate credentials with a temporary password they must change when they first logon. Until they change their password, they won’t be able to access any corporate resources.
This is a frequent occurrence in retail, where employee turnover is high and often has seasonal bursts of hiring. For the worker sitting at a domain-joined workstation on the corporate network, it’s no big deal as the password update process is integrated into the Windows client OS. But this domain joined workstation scenario often doesn’t apply; employees must share a kiosk-type machine in the stock room to update their password or view corporate resources, or there may be no workstation at all.
This is where web-based services really shine. An employee doesn’t need a domain joined machine; with a properly designed hybrid architecture that has both traditional domain joined resources and web resources underpinned by Azure AD, these mobile employees can change their password and work with HR and benefits sites using their own mobile devices.
Password change vs. password reset
But it’s important to distinguish password change from password reset. Password reset allows the user to change their password when they don’t know it. How does that work? It requires that the user enter supplemental information (mobile phone, alternate email, security questions) to prove their identity. But before they can go through this registration process, they must have successfully proved their identity at least once by logging in with their userid and password. The Achilles heel of password reset is that the user must be proactive: If they haven’t registered ahead of time, the password reset process won’t work. And they can’t register if they only have a temporary password.
So: the new employee needs to change their temporary password. They don’t have access to a domain joined workstation. And they can’t use password reset because they can’t yet register. How can they update their password and get going?
AD FS 3.0 has the capability to allow the user to change their password when they supply their existing password. To enable this, open the AD FS management console, expand Service, and select Endpoints. In the middle pane, you’ll see a long list of endpoints. Scroll down to the Other section, and select /adfs/portal/updatepassword/. Right click on it, and choose enable (i.e. for intranet users). This will enable users on the corporate network to use the AD FS forms-based login to change their password. I don’t think this is especially useful, because the vast majority of users on the corporate network that need to change their password will probably be on domain-joined workstations. (Remember that most mobile devices will be on a public wireless network, even inside the company.) It certainly can’t hurt to have this internal capability enabled, however.
Right click on updatedpassword a second time, and select enable on proxy (i.e. for external users).
This will allow external users – which includes mobile device users on the company public network – to change their password at the external Web Application Proxy-hosted AD FS forms-based login page (below):
Note that you must restart the AD FS service for this to take effect. If it doesn’t work, try restarting the service again; I had to do it twice.
The ability to update your password from a web page is a great feature, and it’s so easy to implement Here’s Sam Devasahayam’s (also known as @MrADFS) original post on the topic.