Sean Deuby

One of the really annoying things about passwords is that you have to remember them. If you can’t remember your password at a SaaS provider, it’s pretty straightforward: you click on the “forgot password” link and go through the password recovery process. As is often the case, however, the corporate world is more complicated.  If you have a hybrid environment where you use AD FS (Active Directory Federation Services) to provide single sign-on to Azure AD for your organization, there’s an AD FS feature that will solve one of the most common scenarios: The user knows their password and must change it before they can do anything else.

Related reading

Know a password, change a password

When would this happen? Usually, this is the “onboarding” scenario where a new hire is given their new corporate credentials with a temporary password they must change when they first log on. Until they change their password, they won’t be able to access any corporate resources.

This is a frequent occurrence in retail, where employee turnover is high and often has seasonal bursts of hiring. For the worker sitting at a domain-joined workstation on the corporate network, it’s no big deal as the password update process is integrated into the Windows client OS. But this domain-joined workstation scenario often doesn’t apply; employees must share a kiosk-type machine in the stock room to update their password or view corporate resources, or there may be no workstation at all.

This is where web-based services really shine. An employee doesn’t need a domain-joined machine; with a properly designed hybrid architecture that has both traditional domain joined resources and web resources underpinned by Azure AD, these mobile employees can change their password and work with HR and benefits sites using their own mobile devices.

Password change vs. password reset

But it’s important to distinguish password change from password reset. Password reset allows the user to change their password when they don’t know it. How does that work? It requires that the user enter supplemental information (mobile phone, alternate email, security questions) to prove their identity. But before they can go through this registration process, they must have successfully proved their identity at least once by logging in with their user id and password. The Achilles heel of password reset is that the user must be proactive: If they haven’t registered ahead of time, the password reset process won’t work. And they can’t register if they only have a temporary password.

So: the new employee needs to change their temporary password. They don’t have access to a domain-joined workstation. And they can’t use password reset because they can’t yet register. How can they update their password and get going?

AD FS 3.0 has the capability to allow the user to change their password when they supply their existing password. To enable this, open the AD FS management console, expand Service, and select Endpoints. In the middle pane, you’ll see a long list of endpoints. Scroll down to the Other section, and select /adfs/portal/updatepassword/. Right-click on it, and choose to enable (i.e. for intranet users). This will enable users on the corporate network to use the AD FS forms-based login to change their password. I don’t think this is especially useful because the vast majority of users on the corporate network that needs to change their password will probably be on domain-joined workstations. (Remember that most mobile devices will be on a public wireless network, even inside the company.) It certainly can’t hurt to have this internal capability enabled, however.

Right-click on updatedpassword a second time, and select enable on proxy (i.e. for external users).

updated password in AD FS

This will allow external users – which includes mobile device users on the company public network – to change their password at the external Web Application Proxy-hosted AD FS forms-based login page (below):

Hybrid Identity Networks - Active Directory

Note that you must restart the AD FS service for this to take effect. If it doesn’t work, try restarting the service again; I had to do it twice.

The ability to update your password from a web page is a great feature, and it’s so easy to implement Here’s Sam Devasahayam’s (also known as @MrADFS) original post on the topic.