ADFS 2012 R2 now supports Password Change (not reset) across all devices
Howdy everyone!
Today I’m going to blog about password change feature in ADFS. This is not a well-known feature but a very useful one for many organizations.
Password change is the ability for a user (in Active Directory Domain Services) to change their password with knowledge of their old password. Note that this is not password reset where the user does not know their password and needs to use an alternate credential (such as phone or security questions) to reset their password. One such example is Azure Active Directory that provides Self-Service Password Reset capabilities in the cloud that make this simple for end users. Traditionally users would use their windows domain joined devices inside their corporate devices or they would change password through their on-premises OWA system that provided this functionality. However, with moving to Office 365 and the advent of multiple devices accessing company resources, users cannot really use those same mechanisms anymore. Employees are also not always connected to the corporate network when their password need to be changed which can also prove to be challenging and a help desk call generator.
The feature in ADFS was meant to address the above issues. The use cases that we targeted were the following:
- Expired Password: User is accessing applications such as Office 365 and is logging onto ADFS using their expired password. At this time, ADFS will interrupt the login flow (when password change is enabled) and ask the user to change their password. Once they change their password, they are seamlessly taken back to the login page, enter their changed password and subsequently taken to the application that they were logging into.
- User Must Set Password at next login: Many times when you have a new employee or when a password is reset through a password reset mechanism such as the SSPR feature in Azure AD, users need to change their passwords at the next login into AD.
- Change Password when passwords are soon to expire: We targeted this case specifically for Office 365 applications where ADFS can notify Office apps that a password is set to expire with 14 days (not configurable) and notify the user and now the user can just click on the change password link when this notification appears and can change their password via ADFS.
- Change Password any time by directly going to the password change URL: This is simply a case where the user can bookmark the change password URL and just access this to change their password in AD.
Enabling Change Password in ADFS
By default, this functionality is disabled in ADFS. Change password looks just like another endpoint in ADFS and all you need to do is enable the endpoint. You can use the MMC snapin to enable this.
You can also do this via PSH using the Set-AdfsEndpoint cmdlet.
Once enabled, users can always access the change password page via https://adfs.contoso.com/adfs/portal/updatepassword/. It would look like this
Note: ADFS 2012 R2 required authenticated/registered devices (a.k.a ‘workplace join’) to allow the change of passwords. Based on customer feedback, we have relaxed this constraint and allow this from all devices. You will need to apply 3035025 hotfix on all the ADFS servers.
Enabling password expiry notification
This is a use case that is specifically targeted towards logging into Office 365. Enabling this requires a modification to the ‘issuance’ claims rules for the relying party trust that represents Azure Active Directory. If you used AAD PSH to create this RP trust, you will see this as the “Office 365 Identity Platform” RP trust.
All you need to do is to add the following claims rule to the issuance claims when sending tokens to Azure AD/Office 365.
c1:[Type == "https://schemas.microsoft.com/ws/2012/01/passwordexpirationtime"]
=> issue(store = "_PasswordExpiryStore", types = ("https://schemas.microsoft.com/ws/2012/01/passwordexpirationtime", "https://schemas.microsoft.com/ws/2012/01/passwordexpirationdays", "https://schemas.microsoft.com/ws/2012/01/passwordchangeurl"), query = "{0};", param = c1.Value);
With the above rule we are sending 3 additional claims
- Password Expiration Time: This is the time when the user’s password will expire
- Password Expiration Days: This is the number of days remaining prior to the password expiry
- Password Change URL: This is the URL of the password change URL from ADFS
Hope you found this blog post useful. Feel free to post comments on this blog post to ask questions or leave feedback. You can also tweet to @MrADFS.
--Sam
Comments
Anonymous
May 22, 2015
Hello, can you please guive us more infos on how to enable password expiry notification, I have configured it in ADFS Claims but I still don't receive notification, is there any thing to be done on Office 365? thanksAnonymous
May 23, 2015
Hi Nizar, these claims only go out if the password is to expire within 14 days. Was the password going to expire within 14 days? If so, could you take a fidder (www.telerik.com/.../fiddler) trace of the traffic and send it to samueld@microsoft.com. If we see the claims there, we need to check to see if we had a regression in Azure AD or Office. Thanks /SamAnonymous
July 07, 2015
Does the password change mechanism work correctly if AlternateLoginID is in use on ADFS?- Anonymous
May 13, 2016
Hi Ken H , Did you ever get a reply to your question as I might have to look at this scenario myself. Thanks Andy
- Anonymous
Anonymous
August 20, 2015
Is it possible to configure Office 365 to send the user to the ADFS password change URL when they click "Change password" in their profile settings, rather than the "you can't change your password here." error page that appears by default? -JoeAnonymous
September 13, 2015
Is it possible to provided a return url in the query string so that the user is sent back to our website after changing their password?Anonymous
September 14, 2015
Hi Billy, the hotfix is not needed any more! If your system is patched ;) www.acpcloud.rocks ;))Anonymous
September 21, 2015
The comment has been removedAnonymous
October 20, 2015
Great post, Sam! Thank you very much :-)Anonymous
October 23, 2015
I would like to append the domain for the user like on the sign-on page. Any ideas?Anonymous
October 28, 2015
The comment has been removedAnonymous
October 28, 2015
"I would like to append the domain for the user like on the sign-on page." James, I'm very interested in this too!!! Our Sign In page does this using onload.js as documented by Microsoft. The domainSAMAccountName that the user enters is automatically transferred to the Update Password page when the user is automatically redirected to it but when a users goes directly to the Update Password page the placeholder says "someone@example.com" and the user needs to enter either UPN or domainSAMAccountName. I've tried to change this using the same onload.js file but so far without any success.- Anonymous
March 29, 2016
To change the placeholder, where it says "someone@example.com" to display "domain\user.name", add the following to your onload.js:var userNameInput = document.getElementById ("userNameInput");userNameInput.placeholder = "domain\user.name";Note, you need to use double \ or it will not work. - Anonymous
March 29, 2016
To add the domain to the change password page modify the onload.js file.if (typeof UpdatePassword != 'undefined') { UpdatePassword.submitPasswordChange = function () { var u = new InputUtil(); var e = new UpdErrors(); var userName = document.getElementById(UpdatePassword.userNameInput); var oldPassword = document.getElementById(UpdatePassword.oldPasswordInput); var newPassword = document.getElementById(UpdatePassword.newPasswordInput); var confirmNewPassword = document.getElementById(UpdatePassword.confirmNewPasswordInput); if (!userName.value || !userName.value.match('[@\\]')) { var userName = 'contoso.com\' + userName.value; document.forms['updatePasswordForm'].userNameInput.value = userName; } if (!oldPassword.value) { u.setError(oldPassword, e.oldPasswordEmpty); return false; } if (!newPassword.value) { u.setError(newPassword, e.newPasswordEmpty); return false; } if (!confirmNewPassword.value) { u.setError(confirmNewPassword, e.confirmNewPasswordEmpty); return false; } if (newPassword.value !== confirmNewPassword.value) { u.setError(confirmNewPassword, e.mismatchError); return false; } var error = document.getElementById('error'); error.innerHTML = ''; return true; };}
- Anonymous
Anonymous
January 20, 2016
Has anyone worked out how to redirect to the original URL as mentioned by Paul S? This is what we required as well.Anonymous
January 22, 2016
Was anyone able to configure the password expiration email with federated domain? Is that supported? And with wsfed, I am not able to view the claim value from Fiddler. What's the best way to check whether the claim has been sent to Office 365? Thanks!Anonymous
February 03, 2016
Good Day Sam Great Post thank you . after enabling the feature when we go to the change password page are redirected to the error page. An error occurred An error occurred. Contact your administrator for more information. Error details•Activity ID: 00000000-0000-0000-0400-0080000000f2 •Error time: Thu, 04 Feb 2016 05:00:58 GMT •Cookie: enabled •User agent string: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729)- Anonymous
June 23, 2016
Shaun, we are having the same problem as you were. Did you ever get it fixed? If so, how?
- Anonymous
Anonymous
March 29, 2016
What is the purpose of the cancel button? Should this redirect back to the sign in page?When i click on the cancel button it just clears my entered in password.Anonymous
August 29, 2016
Are you able to put this behind multi factor auth so users are required to pass a second factor before changing their password?- Anonymous
September 19, 2016
Hi, we don't have additional enforcement controls for this outside of knowing your prior password. We'll consider this for the next version.
- Anonymous
Anonymous
September 13, 2016
Hi Sam,Can we limit this feature to a set of users/group ? We don't everyone should be able to change password, is that possible via claim rules?Thanks Amit Kalia- Anonymous
September 19, 2016
Hi Amit, we don't have any way to control this.
- Anonymous