How can we improve Azure Active Directory?

Enable SSPR to reset Windows cached credentials

In reference to - https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-sspr-windows

Its great that SSPR can now be invoked from the login screen. This however seems like a relatively minor benefit to the average user since most have a mobile device with which they can follow the flow. I don't mean to demean the achievement since its definitely needed. However, what is a major issue (and which generates just as many support issues (and erodes IT credibility) as no SSPR at all) is the lack of SSPR for cached credentials when users are off the network/VPN. This happens to be the most common use case we see and is vital we get addressed. As it stands we'll have to look for third party tools to assist us.

73 votes
Sign in
(thinking…)
Sign in with: oidc
Signed in as (Sign out)

We’ll send you updates on this idea

Simon hoddinott shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

11 comments

Sign in
(thinking…)
Sign in with: oidc
Signed in as (Sign out)
Submitting...
  • Dustin commented  ·   ·  Flag as inappropriate

    Any update to this functionality. We have multiple remote users and can change their password in O365 and have it sync across the entire domain, but their mobile devices still are unable to get the updated password without line of sight to the on-prem AD

  • Felipe Andrade commented  ·   ·  Flag as inappropriate

    We actually implemented SSPR and completely forgot about the cached credentials issue. This is definitely important and for many companies probably a requirement.

  • Michael commented  ·   ·  Flag as inappropriate

    if Microsoft could figure this out.... it would be a game changer for my organization

  • Matt J. commented  ·   ·  Flag as inappropriate

    Great to hear this is under review. We would definitely benefit from such a capability!

  • Anonymous commented  ·   ·  Flag as inappropriate

    There should at least be some guidance/official mention of cached credentials in the documentation.

  • Marc Rice commented  ·   ·  Flag as inappropriate

    We run into this all the time as most of our users are remote. That was one of the primary motivations for implementing SSPR. We were hoping it would be a single password reset mechanism we could use to support users regardless of whether they were using PC, Mac, or Mobile. We have to instruct users to connect to the VPN to sync their cached credentials -- we might as well have them connect and reset their password at the same time and save a step.

    Some guidance on using SSPR with domain joined machines would be awesome. For example, how to handle this issue, recommended on prem password policy settings, and some insight into how long all this takes so that uses don't lock themselves out, or confuse old and new passwords. If we're doing something wrong, I'd love to know it.

Feedback and Knowledge Base