Enable SSPR to reset Windows cached credentials
Its great that SSPR can now be invoked from the login screen. This however seems like a relatively minor benefit to the average user since most have a mobile device with which they can follow the flow. I don't mean to demean the achievement since its definitely needed. However, what is a major issue (and which generates just as many support issues (and erodes IT credibility) as no SSPR at all) is the lack of SSPR for cached credentials when users are off the network/VPN. This happens to be the most common use case we see and is vital we get addressed. As it stands we'll have to look for third party tools to assist us.
Hey folks! Thank you for your feedback. We are reviewing this ask and will keep you up to date on our findings. We have also added information about this limitation in our documentation. Thank you!
Bill Neumann commented
Is this scenario / request moot if users log on using their User Principal Name (UPN/email) credentials versus using domain\username IDs, i.e., a UPN logon will authenticate using the updated Azure AD credentials and not need to leverage Windows AD cached credentials?
Yes, this is very much needed.
I got around this by implementing a VPN before logon solution. Already using F5 VPN so all it took was modifying the Edge client so that it can be launched with the "Network Sign-in" feature from the logon screen.
Any Updates for this feature? I don't want to have to go 3rd party but might need to if this is not added in.
ManageEngine ADSelf-service Plus solves this with ease! https://www.manageengine.com/products/self-service-password/?pos=MEtab&cat=AD&loc=tab&prev=AB2
Any update to this functionality. We have multiple remote users and can change their password in O365 and have it sync across the entire domain, but their mobile devices still are unable to get the updated password without line of sight to the on-prem AD
Felipe Andrade commented
We actually implemented SSPR and completely forgot about the cached credentials issue. This is definitely important and for many companies probably a requirement.
if Microsoft could figure this out.... it would be a game changer for my organization
Hi folks! Thanks for your feedback. We are still considering this feature. Please continue to vote if this is important to you to help us prioritize appropriately. Thanks!
This would be huge.
Matt J. commented
Great to hear this is under review. We would definitely benefit from such a capability!
There should at least be some guidance/official mention of cached credentials in the documentation.
Marc Rice commented
We run into this all the time as most of our users are remote. That was one of the primary motivations for implementing SSPR. We were hoping it would be a single password reset mechanism we could use to support users regardless of whether they were using PC, Mac, or Mobile. We have to instruct users to connect to the VPN to sync their cached credentials -- we might as well have them connect and reset their password at the same time and save a step.
Some guidance on using SSPR with domain joined machines would be awesome. For example, how to handle this issue, recommended on prem password policy settings, and some insight into how long all this takes so that uses don't lock themselves out, or confuse old and new passwords. If we're doing something wrong, I'd love to know it.
Peter Selch Dahl commented
This would be great to have
Aaron A commented
I am surprised this wasn't built in already at launch.