How can we improve Azure Active Directory?

← Azure Active Directory

Enable SSPR to reset Windows cached credentials

In reference to - https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-sspr-windows

Its great that SSPR can now be invoked from the login screen. This however seems like a relatively minor benefit to the average user since most have a mobile device with which they can follow the flow. I don't mean to demean the achievement since its definitely needed. However, what is a major issue (and which generates just as many support issues (and erodes IT credibility) as no SSPR at all) is the lack of SSPR for cached credentials when users are off the network/VPN. This happens to be the most common use case we see and is vital we get addressed. As it stands we'll have to look for third party tools to assist us.

118 votes
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Simon hoddinott shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

20 comments

Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Anonymous commented  ·   ·  Flag as inappropriate

    Is there an update on this?
    SSPR with Hybrid AD and many remote users (no VPN) is almost useless without also updating the local cached credentials! Very poor end-user experience and far too confusing to try to explain.

  • Nils van Woensel commented  ·   ·  Flag as inappropriate

    This would be a real benefit and need for customers. This could be a blocker when replacing current password reset solution which could possibly do this type of reset. Any update on the roadmap for this ?

  • Anonymous commented  ·   ·  Flag as inappropriate

    Hey Azure team - totally agree. This is such a nice addition to the toolset, but without updating the cached credentials or allowing login to the device, this is a pretty big miss. It's been over a year - any update on this?

  • Bill Neumann commented  ·   ·  Flag as inappropriate

    Hi Azure AD Team... It's been nearly a year since you've provided a status update on this issue. Can you review and update?

  • Bill Neumann commented  ·   ·  Flag as inappropriate

    Is this scenario / request moot if users log on using their User Principal Name (UPN/email) credentials versus using domain\username IDs, i.e., a UPN logon will authenticate using the updated Azure AD credentials and not need to leverage Windows AD cached credentials?

  • RockLee commented  ·   ·  Flag as inappropriate

    Yes, this is very much needed.

    I got around this by implementing a VPN before logon solution. Already using F5 VPN so all it took was modifying the Edge client so that it can be launched with the "Network Sign-in" feature from the logon screen.

  • Kris commented  ·   ·  Flag as inappropriate

    Any Updates for this feature? I don't want to have to go 3rd party but might need to if this is not added in.

  • Dustin commented  ·   ·  Flag as inappropriate

    Any update to this functionality. We have multiple remote users and can change their password in O365 and have it sync across the entire domain, but their mobile devices still are unable to get the updated password without line of sight to the on-prem AD

  • Felipe Andrade commented  ·   ·  Flag as inappropriate

    We actually implemented SSPR and completely forgot about the cached credentials issue. This is definitely important and for many companies probably a requirement.

  • Michael commented  ·   ·  Flag as inappropriate

    if Microsoft could figure this out.... it would be a game changer for my organization

  • Matt J. commented  ·   ·  Flag as inappropriate

    Great to hear this is under review. We would definitely benefit from such a capability!

  • Anonymous commented  ·   ·  Flag as inappropriate

    There should at least be some guidance/official mention of cached credentials in the documentation.

  • Marc Rice commented  ·   ·  Flag as inappropriate

    We run into this all the time as most of our users are remote. That was one of the primary motivations for implementing SSPR. We were hoping it would be a single password reset mechanism we could use to support users regardless of whether they were using PC, Mac, or Mobile. We have to instruct users to connect to the VPN to sync their cached credentials -- we might as well have them connect and reset their password at the same time and save a step.

    Some guidance on using SSPR with domain joined machines would be awesome. For example, how to handle this issue, recommended on prem password policy settings, and some insight into how long all this takes so that uses don't lock themselves out, or confuse old and new passwords. If we're doing something wrong, I'd love to know it.

Azure Active Directory: Self-Service Password Reset

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice