MIM & Azure SSPR

Are you looking for a more secure way to send new users their passwords for Azure Active Directly? If so, you are not alone. This is a common challenge that organizations face and implementing a safer process is key.

In the past, organizations have assigned user passwords using information related to the user that could easily be guessed, or they have created, printed, and physically handed a randomly assigned password to the new user. Neither of these options is fool-proof and as a result, passwords have a high likelihood of being compromised.

Now, there is a better way to handle this scenario. Many of these same organizations store personal email addresses and information in the corporate HR or SIS database. Using Azure Self-Service Password Reset (SSPR) with password writeback and Microsoft Identity Manager (MIM), personal email addresses can now be populated into Azure SSPR so users may retrieve their own passwords and avoid the middle person.

Pre-Requisites

  • Azure Self-Service Password Reset (SSPR) with Password Writeback enabled
  • Microsoft Identity Manager (MIM) 2016 SP1, and must use hotfix 4.4.1642.0 KB4021562 or later
  • Microsoft .NET 4.5.2 Framework or install later on the MIM server

Configuration

In Azure Account Directory, a new application must be registered in Azure AD that has the before Microsoft Graph application permissions:

  1. Directory.Read.All
  2. Directory.ReadWrite.All
  3. User.Read.All
  4. User.ReadWrite.All

The MIM Graph Management Agent (MA) needs to be downloaded from the Microsoft URL, https://www.microsoft.com/en-us/download/details.aspx?id=51495, and installed on the MIM synchronization server.

Using the MIM Graph MA (the graph version must be set to BETA), an attribute flow can be configured to populate “otherMails” attribute in Graph. “otherMails” is the Graph name for the “AlternateEmailAddresses” attribute visible when user Azure AD PowerShell v1 as seen with the Get-MsolUser command. Azure SSRP will use the email address populated to allow users to reset their passwords by simply going to https://aka.ms/sspr.

Utilizing the tools and tips explained above, new users can now safely and securely receive their passwords using Azure SSPR with password writeback, MIM, and personal email addresses. The risk of passwords being guessed or seen by a third party before the user starts is eliminated, thus protecting the user with another layer of security.

If you have questions about setting up your own process as outlined above, contact us at info@forsyteit.com, 844.587.4535, or fill out the form below. Our team is comprised of experts in Microsoft technology and are happy to help!

 

ADDITIONAL REFERENCES:

Group-based licensing in Azure Active Directory (Azure AD): https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal

Step by step guide: Setting up an azure application: https://forsyteitsolutions.sharepoint.com/Shared%20Documents/MIM/MIM%20Azure%20SSPR%20Integration.docx?web=1 (V2 of the guide: Microsoft changed the UI since writing V1)

[Form id=”1″]

 

 

 

 

 

 

Leave a Reply

You must be logged in to post a comment.