Microsoft’s Azure AD Self-Service Password Reset (SSPR) solution can be used to change, unlock or reset passwords from Azure AD and write them back to on-premises Active Directory. This functionality is only available to organizations that have a hybrid implementation, e.g. have synchronized on-premises Active Directory to Azure AD and have a P1/P2 or Office 365 Business license (note: for Education plans this is included in A3/A5 licenses).
Although Microsoft has made some advancements, the solution falls short when considering the user experience and security, such as:
- MFA enrollments are not one-to-one with Azure MFA
- Security questions are questionable
- Updating locally cached credentials is not supported
- Lacks a dedicated service desk interface
- No password policy rules display
MFA enrollments are not one-to-one
Disparity between Azure MFA and Azure AD SSPR exists even with combined registration. Alternate email and security questions including custom questions are supported in Azure AD SSPR but not in Azure MFA. This disparity can increase the chance of authentication failure, creating a negative user experience.
Specops uReset’s robust multi-factor authentication (MFA) platform supports over 15 forms of authentication out-of-the-box. MFA enrollments can be seamlessly extended to support other high-risk use cases including self-service encryption key recovery, service desk assisted password resets/changes, and the Office 365 login.
Security questions are questionable
Azure AD SSPR displays all security questions to the user at once, and answers are not obfuscated. This creates a perfect scenario for over-the-shoulder surfing, or for an attacker to social engineer the answers to all of the questions. Azure AD also lacks a lockout threshold if questions are answered incorrectly.
Security questions are recognized as being a weak form of authentication. Industry experts and standard bodies recommend moving beyond them. With Specops uReset, you can do that easily with over 15 different forms of authentication services to pick and choose from, including commercial ones like Duo Security. However, if you prefer to continue using security questions, Specops uReset does support them, with extended security features to ensure that they cannot be shoulder-surfed.
Updating locally cached credentials not supported
When users are not connected to the corporate network, which is commonly the case for remote and mobile users, they do not have access to authenticate with a domain controller. If the user forgets their password and resets it with Azure AD SSPR, the user will still not be able to login since the locally cached credential will not be updated. This has a negative impact on the user experience and productivity.
Specops uReset supports updating locally cached credentials. This is an important and common use case for the majority of our customers, as end-users are increasingly mobile or remote due to digitalization.
Lacks a dedicated service desk interface
The primary objective of a self-service password reset solution is to deflect password reset calls from the service desk. However, due to conditioning or a solution’s inability to update cached credentials, some users will continue to call the service desk. Azure AD SSPR does not offer a dedicated service desk interface to facilitate password resets, changes, or account unlocks.
Half of all data breaches involve a malicious or criminal attack with social engineering making up a large percentage of these. The IT service desk is a prime social engineering target, so user verification is imperative. Specops uReset’s service desk component enables service desk staff to verify users with the authentication factors they’ve enrolled with before proceeding to reset or change their passwords.
No password policy rules display
When resetting/changing passwords with Azure AD SSPR, users are not presented with any password policy rules to assist them in setting a compliant password. Users are only notified after the fact with very generic feedback on why their password change/reset failed. This can create a situation where a user fails multiple times to reset or change their password successfully, negatively impacting their experience and ultimately leading to calls to the service desk.
Specops uReset displays dynamic password policy rules to guide users with real-time feedback as they are typing in a new password. This allows users to understand the password policy requirements, and successfully submit their password.
About Specops uReset
Specops uReset enables self-service password management, from anywhere and any device. The solution is a part of a robust multi-factor authentication platform that also supports secure user verification for encryption key recovery, and O365 authentication.
To see how Specops uReset can increase password security, click here.