Enable SSPR to reset Windows cached credentials

In reference to - https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-sspr-windows

Its great that SSPR can now be invoked from the login screen. This however seems like a relatively minor benefit to the average user since most have a mobile device with which they can follow the flow. I don't mean to demean the achievement since its definitely needed. However, what is a major issue (and which generates just as many support issues (and erodes IT credibility) as no SSPR at all) is the lack of SSPR for cached credentials when users are off the network/VPN. This happens to be the most common use case we see and is vital we get addressed. As it stands we'll have to look for third party tools to assist us.

436 votes

Simon hoddinott shared this idea · Jul 27, 2018 · Flag idea as inappropriate… · Admin →

under review ·

AdminAzure AD Team (Product Owner, Microsoft Azure) responded · Dec 21, 2018

Hey folks! Thank you for your feedback. We are reviewing this ask and will keep you up to date on our findings. We have also added information about this limitation in our documentation. Thank you!

54 comments

An error occurred while saving the comment

ll commented · February 5, 2021 7:52 AM · Flag as inappropriate

2,5 years later and nothing.... So sad how MS handles some ""killer features" that should be already implemented.

Submitting...
Anonymous commented · December 25, 2020 2:39 AM · Flag as inappropriate

In the smartworking era this feature is a "must have".
Having one identity with two passwords is wrong.

Windows Hello for Business seems not to completely resolve the problem because it should require Domain Controller connection to enroll the tool (so being in LAN for hybrid joined windows 10 devices).

Thanks

Submitting...
jd commented · November 5, 2020 4:38 AM · Flag as inappropriate

Can Windows Hello for Business help with this?

"Windows Hello for Business supports user self-management of their PIN. If a user forgets their PIN, they have the ability to reset it from Settings or the lock screen"

Does that need a VPN tunnel to check the password as part of the process?

Submitting...
Anonymous commented · October 27, 2020 7:26 AM · Flag as inappropriate

I guess nothing more will happen here, right?

Submitting...
Joakim Tomren commented · September 26, 2020 1:10 PM · Flag as inappropriate

@Brad Anderson what can you do about this?

Submitting...
Hansell, Derek commented · September 18, 2020 7:08 AM · Flag as inappropriate

Almost 2 years without an update. Teams has plenty of devs - maybe shift some back to the Identity side of the house?

Submitting...
Anonymous commented · September 8, 2020 8:23 AM · Flag as inappropriate

Any update on this feature? With COVID this is more of an issue with more and more remote workers that don't have line of sight to DCs.

Submitting...
Michael K commented · August 26, 2020 5:01 PM · Flag as inappropriate

Microsoft. C'mon guys! Please, get this rolling. I can't believe this wasn't included with the original SSPR rollout. If AAD DS can sync password/user info it should be able to sync kerberos tickets and update the local password as well.

Submitting...
Sal commented · August 26, 2020 8:20 AM · Flag as inappropriate

I am not sure why this is so difficult for Microsoft. Just like others have pointed out other companies have figured out how to do this. I guess i will renew my subscription to ADManager since Microsoft cannot figure out how to integrate their own platforms

Submitting...
Adam Smith commented · August 11, 2020 9:55 PM · Flag as inappropriate

Hi Guys, great idea and works great - to that point where it doesn't work. Please put this in

Submitting...
Chris commented · July 27, 2020 9:11 AM · Flag as inappropriate

Other Programs already do this. If 3rd parties have figured it out, surely Microsoft can do this is they made the operating systems.

Submitting...
Samir commented · July 24, 2020 6:05 AM · Flag as inappropriate

As juju said, this is a major caveat.

If user password expires there is no way to log back into the device.

Submitting...
Julien BARREAU-MAINSON commented · July 23, 2020 8:20 AM · Flag as inappropriate

Any update on this request ? This is really a must have...

Hybrid AAD joined computers + COVID19 = SSPR cannot be easily used...

Submitting...
Anonymous commented · June 29, 2020 7:41 AM · Flag as inappropriate

The SSPR also should be able to reset the cached password on the mobile users laptop or other devices as well.

Submitting...
Anonymous commented · June 25, 2020 8:50 AM · Flag as inappropriate

We are unable to use SSPR until this is fixed

Submitting...
Hbaele commented · June 24, 2020 6:04 AM · Flag as inappropriate

And again... SSPR without cached credential change keeps on making your home use of your company controlled device unusable... Please provide a solution Microsoft!

Submitting...
Dave Morin commented · June 4, 2020 6:20 AM · Flag as inappropriate

Any update, in evaluation since 2018. We would really need this.

Submitting...
Adam commented · June 1, 2020 9:31 AM · Flag as inappropriate

This is a much needed feature especially given the situation in the world. Can we get an update on this please?

Submitting...
Pab commented · May 21, 2020 6:10 AM · Flag as inappropriate

Any further updates on this? Listed as under review in December 2018. How long could this take to review?

Submitting...
Sudhakar commented · May 20, 2020 9:23 AM · Flag as inappropriate

Any update since we cant find any updates around SSPR specifically

Submitting...