Enable SSPR to reset Windows cached credentials

In reference to - https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-sspr-windows

Its great that SSPR can now be invoked from the login screen. This however seems like a relatively minor benefit to the average user since most have a mobile device with which they can follow the flow. I don't mean to demean the achievement since its definitely needed. However, what is a major issue (and which generates just as many support issues (and erodes IT credibility) as no SSPR at all) is the lack of SSPR for cached credentials when users are off the network/VPN. This happens to be the most common use case we see and is vital we get addressed. As it stands we'll have to look for third party tools to assist us.

506 votes

Simon hoddinott shared this idea · Jul 27, 2018 · Flag idea as inappropriate… · Admin →

under review ·

AdminAzure AD Team (Product Owner, Microsoft Azure) responded · Dec 21, 2018

Hey folks! Thank you for your feedback. We are reviewing this ask and will keep you up to date on our findings. We have also added information about this limitation in our documentation. Thank you!

60 comments

An error occurred while saving the comment

Chris commented · July 15, 2021 5:28 AM · Flag as inappropriate

Also annoyed this isn't fixed. Over 7,000 employees trying to self serve and then blocked because the local cached credentials don't check in with AD

Submitting...
ken commented · July 1, 2021 11:59 PM · Flag as inappropriate

Come on ... still nothing ..
What is the point of this site......

Please provide us an update so we know if we should move a third party application.

Submitting...
Anonymous commented · June 21, 2021 8:25 PM · Flag as inappropriate

So disappointing that this is still not a feature even after Covid...

Submitting...
Anonymous commented · May 12, 2021 3:33 PM · Flag as inappropriate

Hey Microsoft. The folks at DXC are getting more and more customers with this exact issue as more customer attempt to adopt the Hybrid Azure AD version of modern. So unless Microsoft want to see the Modern story tainted with the most basic of IT support use cases, I suggest a more rapid development of a solution. Thanks

Submitting...
Luke Paskert commented · May 7, 2021 6:27 AM · Flag as inappropriate

Please make this happen.

Submitting...
ken commented · April 6, 2021 2:11 AM · Flag as inappropriate

How is this possible .. still not fixed

Submitting...
ll commented · February 5, 2021 7:52 AM · Flag as inappropriate

2,5 years later and nothing.... So sad how MS handles some ""killer features" that should be already implemented.

Submitting...
Anonymous commented · December 25, 2020 2:39 AM · Flag as inappropriate

In the smartworking era this feature is a "must have".
Having one identity with two passwords is wrong.

Windows Hello for Business seems not to completely resolve the problem because it should require Domain Controller connection to enroll the tool (so being in LAN for hybrid joined windows 10 devices).

Thanks

Submitting...
jd commented · November 5, 2020 4:38 AM · Flag as inappropriate

Can Windows Hello for Business help with this?

"Windows Hello for Business supports user self-management of their PIN. If a user forgets their PIN, they have the ability to reset it from Settings or the lock screen"

Does that need a VPN tunnel to check the password as part of the process?

Submitting...
Anonymous commented · October 27, 2020 7:26 AM · Flag as inappropriate

I guess nothing more will happen here, right?

Submitting...
Joakim Tomren commented · September 26, 2020 1:10 PM · Flag as inappropriate

@Brad Anderson what can you do about this?

Submitting...
Hansell, Derek commented · September 18, 2020 7:08 AM · Flag as inappropriate

Almost 2 years without an update. Teams has plenty of devs - maybe shift some back to the Identity side of the house?

Submitting...
Anonymous commented · September 8, 2020 8:23 AM · Flag as inappropriate

Any update on this feature? With COVID this is more of an issue with more and more remote workers that don't have line of sight to DCs.

Submitting...
Michael K commented · August 26, 2020 5:01 PM · Flag as inappropriate

Microsoft. C'mon guys! Please, get this rolling. I can't believe this wasn't included with the original SSPR rollout. If AAD DS can sync password/user info it should be able to sync kerberos tickets and update the local password as well.

Submitting...
Sal commented · August 26, 2020 8:20 AM · Flag as inappropriate

I am not sure why this is so difficult for Microsoft. Just like others have pointed out other companies have figured out how to do this. I guess i will renew my subscription to ADManager since Microsoft cannot figure out how to integrate their own platforms

Submitting...
Adam Smith commented · August 11, 2020 9:55 PM · Flag as inappropriate

Hi Guys, great idea and works great - to that point where it doesn't work. Please put this in

Submitting...
Chris commented · July 27, 2020 9:11 AM · Flag as inappropriate

Other Programs already do this. If 3rd parties have figured it out, surely Microsoft can do this is they made the operating systems.

Submitting...
Samir commented · July 24, 2020 6:05 AM · Flag as inappropriate

As juju said, this is a major caveat.

If user password expires there is no way to log back into the device.

Submitting...
Julien BARREAU-MAINSON commented · July 23, 2020 8:20 AM · Flag as inappropriate

Any update on this request ? This is really a must have...

Hybrid AAD joined computers + COVID19 = SSPR cannot be easily used...

Submitting...
Anonymous commented · June 29, 2020 7:41 AM · Flag as inappropriate

The SSPR also should be able to reset the cached password on the mobile users laptop or other devices as well.

Submitting...