Notifications

Specops Password Policy can send out a number of notifications related to password expiration and password rule compliance. This section explains the various options and settings associated with these notifications.

Types of notifications


  • Expiration email notification
    Sent out at a specific time prior to the user’s password expiration.
  • Breached Password Protection Complete email notification
    Email sent out to inform users that their new password matches one found in the Breached Password Protection Complete database.
  • Breached Password Protection Complete text notification
    Text message sent out to inform users that their new password matches one found in the Breached Password Protection Complete database.
  • Breached Password Protection Express email notification
    Email sent out to inform users that their password matches one found in the Breached Password Protection Express database after that database was updated.
  • License emails
    Emails sent out to Specops and administrators containing licensing information.

Please refer to the sections below for more information on the different notifications.

Email Sending System


NOTE
It is recommended to configure the SMTP settings in the Domain Administration tool before making any changes to the email templates in the Group Policy snap-in. If the SMTP settings have not been set in the Domain Administration tool, applying changes to the mail templates in the Group Policy snap-in will show a warning informing the administrator that the SMTP settings have to be configured in the Domain Administration tool.

Notifications can be sent through the Sentinel (via SMTP), and the Arbiter (via SMTP or Microsoft Graph API.

Changing the email sending system

You can change the email sending system in the SMTP settings in the Domain Administration Tool.

  1. In the Domain Administration Tool, go to Domain Settings, then click Edit in the SMTP Settings section.
  2. Click on the Email Sending System dropdown and choose which system you want to use.

Sentinel Service and Arbiter

Since the Sentinel Service is installed on all writable domain controllers, using the Sentinel to send notifications necessarily means that these domain controllers must be open to the internet in order to send mails. In cases where this is not desired, the Arbiter can be used to send notifications. The Arbiter also needs to be open to the internet, but since it is recommended that Arbiters are installed on servers that are not domain controllers, this means that the DC is not open in the same way.

Sentinel Service

The Sentinel Service is the default email sending system for Specops Password Policy.

WARNING
Since the Sentinel Service is installed on all writable domain controllers, all domain controllers must be allowed to send SMTP traffic directly to the configured SMTP server. If you prefer to have SMTP traffic originate from a member server, you can configure Password Policy to use your Arbiter(s) for sending email.

Arbiter

The Arbiter can be used as an email sending system (provided the Arbiter is installed on a server that is not a domain controller). The Sentinel Service is still involved in the sending of notifications, but only to the Arbiter, not directly over SMTP. Note that the Sentinel Service drops off SMTP emails to the Arbiter and then exits. It does not check whether or not the emails have been delivered.

NOTE
If you are using the Arbiter only as an email sending system (i.e. not to enable Specops Breached Password Protection), you do not require an API key.

Microsoft Graph API

Microsoft Graph is the gateway to data and intelligence in Microsoft 365. In SPP you can leverage the Graph API functionality to send your SPP email communications.

More information on SMTP settings can be found in the Domain Administration Tool Settings (SMTP) section below.

Domain Administration Tool Settings (SMTP)


The Domain Administration tool controls the SMTP settings for all outgoing emails from Specops Password Policy (with certain exceptions listed below).

NOTE
It is recommended to configure the SMTP settings in the Domain Administration tool before making any changes to the email templates in the Group Policy snap-in. If the SMTP settings have not been set in the Domain Administration tool, applying changes to the mail templates in the Group Policy snap-in will show a warning informing the administrator that the SMTP settings have to be configured in the Domain Administration tool.

Editing Email System Settings

  1. In the Domain settings menu, go to the SMTP Settings section.
  2. Click the Edit button for the SMTP Settings.
  3. Fill out all the necessary fields in the pop-up window.
  4. Click the Test Settings… button, fill in a valid email address in the To field, then click Send to test the settings.
  5. Click OK.

Configuring SMTP settings (Sentinel Service and Arbiter)

In this section the global SMTP settings are configured. These are the SMTP settings for all outgoing emails.

  • Email Sending System: choose which system to use for sending emails (Sentinel Service or Arbiter). For more information on Email Sending Systems, see the Email Sending System section.
  • SMTP Server
    The name of the SMTP server used. The emails are sent from the domain controllers where the Sentinel is installed.
  • Use TLS (Encryption)
    Transport-Level Security. Check this option if youn want to enable encryption for outgoing mail. Note that whenever TLS is enabled, the port will automatically be set to port 587.
  • Port
    Defaults to Port 25. If another port is to be used for outgoing emails, it can be set here.
  • Authentication
    There are three levels of authentication that can be set:
    • Anonymous access (no authentication)
    • Basic authentication (username and password; both fields will appear when this option is selected)
    • Integrated Windows authentication (the computer accounts of the domain controllers where the Sentinel is installed will be used for authentication. The SMTP server has to be set up such that it allows requests from domain controller accounts.)
  • Default Sender Email Address
    The deault address notifications are sent from
  • Default Sender Display Name
    The display name for sent notifications.
  • Admin Notification Email Address
    Email used to receive license information and warnings. Make sure this is an administrator with the correct privileges to act on the information contained in the emails.

Configuring Microsoft Graph API

In order to use Microsoft Graph API as the email sending service, an app needs to be configured in Azure Active Directory, which will be used for sending mails from Specops Password Policy using Graph API. The following app configuration data needs to be copied to be used in the Domain Administration Tool:

  • Tenant ID
  • Client ID
  • From email address
  • Client secret
    Creating a Mail-enabled group
  1. Log in to https://admin.microsoft.com/ for your organization.
  2. Click on Groups > Active Groups.
  3. Click on Add a Group and select Mail-enabled security.
  4. Provide a name for the group and then enter a group email address.
    NOTE
    All members within the Security Group will have access to the send-as through the application (see below).
  5. Add the user that should be the sender as a member to this newly created group.
    NOTE
    This account has to have the correct permissions to send emails since this is the account that will be used to send the emails from Specops Password Policy.
    NOTE
    This is the email that will be used as the From email address in Domain Administration Tool.
  6. Registering and configuring a new app
  7. Log in to https://aad.portal.azure.com/ for your organization.
  8. Click on Azure Active Directory. This should bring you to your org's directory.
  9. Click on App Registrations.
  10. Click on New registration.
  11. Provide a name for the app.
  12. Select the supported account type as Single Tenant.
  13. Click on Register. Copy and save the Application (client) ID and Directory (tenant) ID. These will be used as Client ID and Tenant ID in the Domain Administration Tool.
  14. Click on API Permissions and click on Add a permission.
  15. Select Microsoft Graph and select the permission type as Application permissions.
  16. From the list, select the Mail.Send and User.Read.All permissions and click on Add permissions.
    NOTE
    If the "Attached" option in the Image handling dropdown will be enabled, the Mail.ReadWrite permission has to be selected as well.
  17. Under Configured permissions for the app, click on Grant admin consent for your organization.
  18. Click on Certificates & secrets. Click on New client secret and set the expiry date.
  19. Copy and save the secret value. This will be used as the Client secret in the Domain Administration Tool.
  20. Restricting the app access
  21. Open a PowerShell session with elevated privileges on the Exchange Admin’s Windows machine.
  22. Allow executing scripts that are signed by a trusted publisher. Use the following command to do so:
    Copy
    Set-ExecutionPolicy RemoteSigned
  23. Install the EXO (ExchangeOnline) V2 module with the following command:
    Copy
    Install-Module -Name ExchangeOnlineManagement
  24. Load the EXO V2 module using the following command:
    Copy
    Import-Module ExchangeOnlineManagement
  25. Connect to the Exchange Online PowerShell using an admin account:
    Copy
    Connect-ExchangeOnline -UserPrincipalName admin-account@yourorg.com
  26. This should open a SSO dialog box. Sign in with the admin account credentials.
  27. For the next step we’ll need the group email address created in step 4 and the app client ID from step 12. Copy these.
  28. Restrict the app’s API permission to only the members of the group using the following command:
    Copy
    New-ApplicationAccessPolicy -AppId client-id-from-step-12 -PolicyScopeGroupId group-email-from-step-4@yourorg.com -AccessRight RestrictAccess -Description "Restrict app to send mail from group."
    NOTE
    It may take a few hours for application access policies to take effect in Graph REST API calls.
  29. Log out of ExchangeOnline PowerShell session:
    Copy
    Disconnect-ExchangeOnline
  30. Create a mailbox
    NOTE
    This can be a licensed M365 User or a shared mailbox (doesn’t need a license) with an appropriate email address/sender name.
  31. Add the user/mailbox with the intended email to the security group, to allow the send-as through the application.
  32. Configuring the Domain Administration Tool
  33. Open the Domain Administration Tool and go to Domain Settings > Email System Settimngs (Edit)
  34. Make sure the Email Delivery System dropdown is set to Arbiter - Microsoft GRaph API.
  35. Enter the Tenant ID (step 12).
  36. Enter the Client ID (step 12).
  37. Enter the From Email Address (step 5).
  38. Enter the Client Secret (step 18).
  39. Click Test Settings to see if the configuration works.
  40. Click OK.

Custom User Attributes

If email and mobile number in Active Directory are not stored in the standard email and mobile fields, respectively, they can be overridden in the Custom User Attributes section of the Domain Administration tool, which allows the system to reference the correct attributes. Use the exact attribute name as is listed in the Attribute Editor in AD to override the default attributes.

Expiration email notifications


Specops Password Policy can be configured to send out email notifications at a determined time before the user’s password is set to expire. These mails can be enabled and configured in the Group Policy snap-in. Since these emails are configured in the Group Policy snap-in, there can be different email configurations for each GPO.

Configuring password expiration notifications

  1. Go to the Password Expiration tab.
  2. [Optional] Check the Notify at login option
    This will show the user when their password will expire at the Windows login screen.
  3. Check the Send email notification option.
  4. Set the number of days before password expiration when the notification is to be sent (only available if Send email notifications has been checked).
  5. From email and From name
    The contents of these two fields will be determined by what has been configured in the global SMTP settings in the Domain Administration tool. They cannot be altered here.
  6. To Email, CC, and BCC
    Determines where the email is sent. Using the default %UserEmail% placeholder will send it to the user’s email address stored in Active Directory. Multiple addresses can be input, separated by commas or semicolons.
  7. Subject
    This field determines what is mentioned in the email’s subject field. To use placeholder texts, use the (Insert Placeholder) button at the right.
  8. Body
    Click Edit to alter the contents of the email’s body. Please refer to the section below on the body content’s formatting options.
    NOTE
    Sending images in email as attachments: by default, images in email are embedded (inline) and encoded with base64. To send emails with attached images to Gmail or Google Workspace, the setting "Attached" in the Image Handling dropdown must be enabled.
NOTE
To alter the language used for the placeholders, set the User language in the General Settings. For more information, please see the Administration page.

Configuring the email body content (HTML)

Emails can be edited by clicking the Edit button at the bottom of the notification field. An HTML editor will pop up in a new window, where the following functions are available in the editor ribbon:

  • Emphasis (bold, italic, underline)
  • Font
  • Font color
  • Font size
  • Text alignment
  • Lists (bulleted and numbered)
  • Links
  • Images
  • Placeholder text (%)

There is also the option to edit the email in HTML code by clicking the HTML button.

Sending test emails

For both expiration emails and compromised password notifications (Specops Breached Password Protection) you can send test emails to check the formatting and message.

  1. In the email notification section, click Send Test Email.
    NOTE
    Email notifications need to be activated in order to be able to send test emails.
  2. Click Select User.
  3. Enter a user from Active Directory to send the test email to.
  4. For Specops Password Policy you can set the days until expiration. This will usually only change the subject line of the email, unless the body of the email contains placeholders such as %DynamicExpirationInfo%.
  5. Click Send.
  6. A success message should appear in the bottom text field.
    NOTE
    In case the test email fails, the text box will show a message saying what is wrong (e.g. The Sentinel service responded with an error. [InvalidSmtpConfigurationException]: 'No SMTP server has been configured. This must be configured from Specops Password Policy Domain Administration.'

Expiration text message notifications


Specops Password Policy can be configured to send out text message notifications at a determined time before the user’s password is set to expire. These text messages can be enabled and configured in the Group Policy snap-in. Since these emails are configured in the Group Policy snap-in, there can be different text message configurations for each GPO.

Configuring password expiration notifications

  1. Go to the Password Expiration tab.
  2. Check the Send Text message notification option in the Text Message Notification field.
  3. Set the number of days before password expiration when the notification is to be sent (only available if Send email notifications has been checked).
  4. Compose the text message body text.
    NOTE
    Placeholder texts can be used in the text message body as well. For a list of placeholders, see Placeholders below.
NOTE
To automatically include a default country code in case this is not included in the Active Directory entry, set the Default mobile number country code under General settings. For more information, please see the Administration page.
NOTE
To alter the language used for the placeholders, set the User language in the General Settings. For more information, please see the Administration page.

Sending test emails

For both expiration emails and compromised password notifications (Specops Breached Password Protection) you can send test emails to check the formatting and message.

  1. In the email notification section, click Send Test Email.
    NOTE
    Email notifications need to be activated in order to be able to send test emails.
  2. Click Select User.
  3. Enter a user from Active Directory to send the test email to.
  4. For Specops Password Policy you can set the days until expiration. This will usually only change the subject line of the email, unless the body of the email contains placeholders such as %DynamicExpirationInfo%.
  5. Click Send.
  6. A success message should appear in the bottom text field.
    NOTE
    In case the test email fails, the text box will show a message saying what is wrong (e.g. The Sentinel service responded with an error. [InvalidSmtpConfigurationException]: 'No SMTP server has been configured. This must be configured from Specops Password Policy Domain Administration.'

Breached Password Protection Complete email notifications (Continuous)


If Breached Password Protection Complete has been enabled, it can be set up to notify users whenever they have changed their password to one that is listed in the Breached Password Protection Complete database.

Configuring Breached Password Protection Complete email notifications

  1. Go to the Breached Password Protection tab, and click on the Continuous menu on the left.
  2. Make sure the Check for compromised passwords continuously drop-down is set to Using the online Complete API.
  3. Check the Email users when their passwords are found to be compromised option
  4. From email and From name
    The contents of these two fields will be determined on what has been configured in the global SMTP settings in the Domain Administration tool. They cannot be altered here.
  5. To Email, CC and BCC
    Determines where the email is sent. Using the default %UserEmail% placeholder will send it to the user’s email address stored in Active Directory. Multiple addresses can be input, separated by commas or semicolons.
  6. Subject
    This field determines what is mentioned in the email’s subject field. To use placeholder texts, use the (Insert Placeholder) button at the right.
  7. Body
    Click Edit to alter the contents of the email’s body. Please refer to the section below on the body content’s formatting options.

Configuring the email body content (HTML)

Emails can be edited by clicking the Edit button at the bottom. An HTML editor will pop up in a new window, where the following functions are available in the editor ribbon:

  • Emphasis (bold, italic, underline)
  • Font
  • Font color
  • Font size
  • Text alignment
  • Lists (bulleted and numbered)
  • Links
  • Images
  • Placeholder text (%)
NOTE
To alter the language used for the placeholders, set the User language in the General Settings. For more information, please see the Administration page.

Sending test emails

For both expiration emails and compromised password notifications (Specops Breached Password Protection) you can send test emails to check the formatting and message.

  1. In the email notification section, click Send Test Email.
    NOTE
    Email notifications need to be activated in order to be able to send test emails.
  2. Click Select User.
  3. Enter a user from Active Directory to send the test email to.
  4. For Specops Password Policy you can set the days until expiration. This will usually only change the subject line of the email, unless the body of the email contains placeholders such as %DynamicExpirationInfo%.
  5. Click Send.
  6. A success message should appear in the bottom text field.
    NOTE
    In case the test email fails, the text box will show a message saying what is wrong (e.g. The Sentinel service responded with an error. [InvalidSmtpConfigurationException]: 'No SMTP server has been configured. This must be configured from Specops Password Policy Domain Administration.'

Breached Password Protection Complete text message notifications (Continuous)


Same as with Breached Password Protection Complete email notifications, users can be sent a text message whenever they have changed their password to one that is listed in the Breached Password Protection Complete database.

Configuring Breached Password Protection Complete text message notifications

  1. Go to the Breached Password Protection tab, and click on the Continuous menu on the left.
  2. Make sure the Check for compromised passwords continuously drop-down is set to Using the online Complete API.
  3. Check the Text users when their passwords are found to be compromised option
  4. Alter the text to be included in the text message in the Text message field. To include placeholders, use the (Insert Placeholder) dropdown.
NOTE
To automatically include a default country code in case this is not included in the Active Directory entry, set the Default mobile number country code under General settings. For more information, please see the Administration page.
NOTE
To alter the language used for the placeholders, set the User language in the General Settings. For more information, please see the Administration page.

Sending test emails

For both expiration emails and compromised password notifications (Specops Breached Password Protection) you can send test emails to check the formatting and message.

  1. In the email notification section, click Send Test Email.
    NOTE
    Email notifications need to be activated in order to be able to send test emails.
  2. Click Select User.
  3. Enter a user from Active Directory to send the test email to.
  4. For Specops Password Policy you can set the days until expiration. This will usually only change the subject line of the email, unless the body of the email contains placeholders such as %DynamicExpirationInfo%.
  5. Click Send.
  6. A success message should appear in the bottom text field.
    NOTE
    In case the test email fails, the text box will show a message saying what is wrong (e.g. The Sentinel service responded with an error. [InvalidSmtpConfigurationException]: 'No SMTP server has been configured. This must be configured from Specops Password Policy Domain Administration.'

Breached Password Protection Express Notifications (Continuous)


When Breached Password Protection Express is enabled, users can be notified by email when their current password has been found in the Breached Password Protection Express database after the database has been updated.

Configuring Breached Password Protection Express Dictionary

  1. Go to the Breached Password Protection tab, and click on the Continuous menu on the left.
  2. Make sure the Check for compromised passwords continuously drop-down is set to Using the local Express list.
  3. Check the Email users when their passwords are found to be compromised option.
  4. From email and From name
    The contents of these two fields will be determined on what has been configured in the global SMTP settings in the Domain Administration tool. They cannot be altered here.
  5. To Email, CC and BCC
    Determines where the email is sent. Using the default %UserEmail% placeholder will send it to the user’s email address stored in Active Directory. Multiple addresses can be input, separated by commas or semicolons.
  6. Subject
    This field determines what is mentioned in the email’s subject field. To use placeholder texts, use the (Insert Placeholder) button at the right.
  7. Body
    Click Edit to alter the contents of the email’s body. Please refer to the section below on the body content’s formatting options.

Configuring the email body content (HTML)

Emails can be edited by clicking the Edit button at the bottom. An HTML editor will pop up in a new window, where the following functions are available in the editor ribbon:

  • Emphasis (bold, italic, underline)
  • Font
  • Font color
  • Font size
  • Text alignment
  • Lists (bulleted and numbered)
  • Links
  • Images
  • Placeholder text (%)
NOTE
To alter the language used for the placeholders, set the User language in the General Settings. For more information, please see the Administration page.

Sending test emails

For both expiration emails and compromised password notifications (Specops Breached Password Protection) you can send test emails to check the formatting and message.

  1. In the email notification section, click Send Test Email.
    NOTE
    Email notifications need to be activated in order to be able to send test emails.
  2. Click Select User.
  3. Enter a user from Active Directory to send the test email to.
  4. For Specops Password Policy you can set the days until expiration. This will usually only change the subject line of the email, unless the body of the email contains placeholders such as %DynamicExpirationInfo%.
  5. Click Send.
  6. A success message should appear in the bottom text field.
    NOTE
    In case the test email fails, the text box will show a message saying what is wrong (e.g. The Sentinel service responded with an error. [InvalidSmtpConfigurationException]: 'No SMTP server has been configured. This must be configured from Specops Password Policy Domain Administration.'

Testing notifications


Sending test emails

For both expiration emails and compromised password notifications (Specops Breached Password Protection) you can send test emails to check the formatting and message.

  1. In the email notification section, click Send Test Email.
    NOTE
    Email notifications need to be activated in order to be able to send test emails.
  2. Click Select User.
  3. Enter a user from Active Directory to send the test email to.
  4. For Specops Password Policy you can set the days until expiration. This will usually only change the subject line of the email, unless the body of the email contains placeholders such as %DynamicExpirationInfo%.
  5. Click Send.
  6. A success message should appear in the bottom text field.
    NOTE
    In case the test email fails, the text box will show a message saying what is wrong (e.g. The Sentinel service responded with an error. [InvalidSmtpConfigurationException]: 'No SMTP server has been configured. This must be configured from Specops Password Policy Domain Administration.'

Placeholder texts


Placeholder texts can be used to insert dynamic information (such as password rules or the user’s email address) into notifications. Below is a list of all the placeholder texts available.

All placeholder texts (with the exception of those that only contain numbers) have been localized in the languages available in Specops Password Policy. The language presented to the user will depend on the setting for Notification language for the notification in question.

Note that not all Placeholders are available for all notifications. The ones available to all notifications have been indicated with an asterisk.

%UserEmail% : user’s email address

%ManagerEmail% : send email to manager about users with about to expire passwords

%SamAccountName% : user’s samAccountName-attribute in AD*

%Upn% : user’s userPrincipalName attribute in AD*

%DisplayName% : user’s displayName attribute in AD*

%DynamicExpirationInfo%: e.g. “Your password will expire in 3 days”

%PasswordRules% : list of rules set in the configuration

%DaysUntilExpiration% : days until password expiration (1,2,3,4 etc)

%PasswordRulesHeader% : “Your new password must meet the following requirements:”