Self-Service Password Reset

Chapter 7 – Self-Service Password Reset – in the FIM 2010 R2 book

In this chapter we will cover:

  • Enabling password management in AD
  • Allowing FIM Service to set passwords
  • Configuring FIM Service
  • The user experience

This is also the preview chapter that you can download.

9 thoughts on “Self-Service Password Reset

  1. Matt

    I have installed MIM 2016 Password Reset and Registration Portals and all of the functionality is working as intended when I have one authentication gate. But when I add multiple authentication gates in the “Password Reset AuthN Workflow” such as QA gate, Email OTP and SMS OTP gates, users need to register all of these gates and they need to pass them one by one when they are resetting their passwords. Is there a way to make only one gate required so that users do not need to register all of them?

    Reply
    • Kent Post author

      If you want different gate experience for different users you need a Set/WF/MPR for each combination. Look at the default MPRs for SSPR and mimic those when creating your own combinations.

      Reply
  2. Matt

    Thank you for your quick response, Kent. I currently have one set of users and I want all of my users have the option to pick one of available SSPR authentication methods. For instance, I would like to enable all four of QA, OTP Email, OTP SMS and Phone gates, but I want users to have to register only one of them so they will have the option. With the available functionality in MIM 2016, when I add these authentication gates in one or more workflows, they run in sequential order, so the users are asked to register all of them and need to pass all of them to reset their password. On Azure AD Premium (as explained here https://blogs.technet.microsoft.com/ad/2014/04/29/deep-dive-password-reset-with-on-premise-sync-in-azure-ad-premium/) Microsoft has this functionality and they call it “number of contact methods required”, I was wondering if that is possible for MIM by either creating a custom authentication workflow or activity or maybe altering the behavior of Password Reset and Registration Portals by customizing them.

    Reply
    • Kent Post author

      I’m afraid the functionality you see in Azure AD Premium SSPR is not possible out-of-the-box in MIM. I have customers with similar solutions that you want in place. But in order to get that in MIM you first need the user to decide the method they want to use, store that in MIM so that the correct MPR can apply to the user. A small custom website integrated with the SSPR Portal could do trick for you. As long as the “selection” is stored in MIM before the “normal” Registration Process is started it will work. I also have customers that do not use the SSPR built-in registration process, but rather collects the Mobile Phone and Private email to use and then MIM automatically register the user for SSPR using something like what i describe in this post http://konab.com/automate-sspr-registration-fim-2010-r2

      Reply
  3. Matt

    Hi Kent,
    I have a quick question about password management via FIM portals. I could not find a delivered way to enable users to change their password if they already know their existing password unless they go through the same process as if they forgot their password. Am I missing something? If it does not exist as a functionality, what would be your recommendations to implement password change functionality?
    Thank you.
    Matt

    Reply
    • Kent Post author

      Hi Matt,
      No FIM/MIM does not have PW change functionality, just PW reset or the new one in MIM called Account Unlock.
      Most of my customers use ADFS and enable the Password Change feature in that to allow users to change password.

      Reply
  4. Matt

    ADFS seems like the easiest and most straightforward solution for us as well. Thank you for your prompt response, Kent.

    Reply
  5. Ákos

    Hi Kent

    Your blog is just amazing!! Congrats…
    I have now some trouble with OTP gates and until now I couldn’t find any kind of help.
    The password reset/registration are just working properly with QA gate, but now I want to deploy some OTP gates.
    After deploying Azure MFA service, I always receive a MFA authentification issue, because of the PhoneGatePhoneNumber attribute of my users are missing.
    I couldn’t find any kind of description or blog post which are describing this kind of use case or issue.
    This attribute is existing in the MIM Portal and the password registration process is just successfully, but I couldn’t see any kind of attributes regarding it, neither in MIM Portal nor in the AD.
    I think you already have this experince with some kind of use case. 😉 would you give me the next ‘kick’ and/or imput to implement this service?
    I would really appreciate it!

    Thanks in advance for your answer & best regards, Ákos

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *