How can we improve Azure Active Directory?

Enable SSPR to reset Windows cached credentials

In reference to - https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-sspr-windows

Its great that SSPR can now be invoked from the login screen. This however seems like a relatively minor benefit to the average user since most have a mobile device with which they can follow the flow. I don't mean to demean the achievement since its definitely needed. However, what is a major issue (and which generates just as many support issues (and erodes IT credibility) as no SSPR at all) is the lack of SSPR for cached credentials when users are off the network/VPN. This happens to be the most common use case we see and is vital we get addressed. As it stands we'll have to look for third party tools to assist us.

59 votes
Sign in
Check!
(thinking…)
Reset
or sign in with
    Password icon
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Simon hoddinott shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  AdminAzure AD Team (Admin, Microsoft Azure) responded  · 

    Hey folks! Thank you for your feedback. We are reviewing this ask and will keep you up to date on our findings. We have also added information about this limitation in our documentation. Thank you!

    8 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
      Password icon
      Signed in as (Sign out)
      Submitting...
      • Michael commented  ·   ·  Flag as inappropriate

        if Microsoft could figure this out.... it would be a game changer for my organization

      • Matt J. commented  ·   ·  Flag as inappropriate

        Great to hear this is under review. We would definitely benefit from such a capability!

      • Anonymous commented  ·   ·  Flag as inappropriate

        There should at least be some guidance/official mention of cached credentials in the documentation.

      • Marc Rice commented  ·   ·  Flag as inappropriate

        We run into this all the time as most of our users are remote. That was one of the primary motivations for implementing SSPR. We were hoping it would be a single password reset mechanism we could use to support users regardless of whether they were using PC, Mac, or Mobile. We have to instruct users to connect to the VPN to sync their cached credentials -- we might as well have them connect and reset their password at the same time and save a step.

        Some guidance on using SSPR with domain joined machines would be awesome. For example, how to handle this issue, recommended on prem password policy settings, and some insight into how long all this takes so that uses don't lock themselves out, or confuse old and new passwords. If we're doing something wrong, I'd love to know it.

      Feedback and Knowledge Base