SSPR configurable password policy text window (for tenants using ADFS/write-back)
We have Azure AD using ADFS, so SSPR is using password write-back.
We have a 3rd party password filter implemented on-prem because built-in password policies are so poor (complexity enabled with fine-grained password policies still allows passwords like "Password1", "Microsoft1", etc)
While Azure AD has added some smarts to block "bad" passwords (good job!) - on-prem AD doesn't, which means we can't rely purely on new password filtering functionality in Azure AD.
The end result is that SSPR is very frustrating to use, because it carries no information about what the on-prem password policy requirements are.
Please provide a custom field where we can detail the password requirements in SSPR after the user has completed their identity verification. It should also be displayed if the user chooses a password in SSPR that is rejected by password write-back.
Thanks for your consideration!
Thank you for your feedback! We are still considering this feature and would love to get more feedback on this. Do you want just a text box? Does it need to be localized? What type of information would you include?
I think there can only be some general and non-customizable suggestions and/or link to public documentation. I certainly don't want my company specific policies be revealed to this public area like the SSPR portal is. Those policies I can easily communicate via inner channels where they belong.
I don't downvote the idea because I like to see a good SSPR discussion and surely some general improvements but no vote from me either.
Matt Leeke commented
As has been mentioned by others, just a free-text field - ideally which supports the use of HTML tags - which sits somewhere on the "Create a new password" page would be sufficient for our use-case. We can state the password policy therein.
Yassine SOUABNI commented
as originally proposed by Jordan
"Please provide a custom field where we can detail the password requirements in SSPR after the user has completed their identity verification. It should also be displayed if the user chooses a password in SSPR that is rejected by password write-back."
an end users enters his password without any "Hint or Guidance" on what level of complexity it should require, clicks "Reset" and then discovers that his password has been rejected
through this message :
>>> "This password does not meet the length, complexity, age, or history requirements of your corporate password policy."
It would be helpful to have a Hint Label "configurable by admins" which shows the Company's Password Complexity requirements. Which can help the users better chose an appropriately composed password from the first attempt. (Less end user frustration)
Another option would be to provide an estimation of the password complexity while the user is typing.....
I guess the suggestion could apply for both the SSPR links
This feature is very much needed to assist the end-user when changing their password. Some sort of text box that contains the password policy will help the end-user when setting a new password.
If one or more requirements are met, the text should change to green to let the end-user know that the new password meets the password policy (length, complexity, password history etc).
Bart Vermeersch commented
For SSPR (and change password) we would like to specify a custom text like "A valid password must be at least 10 characters long."
For cloud only user, the hints text window and the strength indicator appear in SSPR page. When will the text window and password stength indicator also appear for SSPR +ADFS and password writeback user? This will definitely enhance user experience when using Azure SSPR.
Patrick Doherty commented
To start with a simple text box of requirements would be fantastic, if later on it could be tabbed for different policies (different countries/companies/departments) that may have their own policies or preferences?
Cha Yang commented
This is a great idea. We are also looking for this change. I think this is huge end user experience improvement. If that information is there, users will have a better chance of getting their passwords changed on the first try and eliminate frustration and calls to the service desk.
Caroli, Gino commented
Just the ability to post a message stating the complexity requirements on the password reset and change password pages would be nice.