Chapter 7 – Self-Service Password Reset – in the FIM 2010 R2 book
In this chapter we will cover:
- Enabling password management in AD
- Allowing FIM Service to set passwords
- Configuring FIM Service
- The user experience
This is also the preview chapter that you can download.
I have installed MIM 2016 Password Reset and Registration Portals and all of the functionality is working as intended when I have one authentication gate. But when I add multiple authentication gates in the “Password Reset AuthN Workflow” such as QA gate, Email OTP and SMS OTP gates, users need to register all of these gates and they need to pass them one by one when they are resetting their passwords. Is there a way to make only one gate required so that users do not need to register all of them?
If you want different gate experience for different users you need a Set/WF/MPR for each combination. Look at the default MPRs for SSPR and mimic those when creating your own combinations.
Thank you for your quick response, Kent. I currently have one set of users and I want all of my users have the option to pick one of available SSPR authentication methods. For instance, I would like to enable all four of QA, OTP Email, OTP SMS and Phone gates, but I want users to have to register only one of them so they will have the option. With the available functionality in MIM 2016, when I add these authentication gates in one or more workflows, they run in sequential order, so the users are asked to register all of them and need to pass all of them to reset their password. On Azure AD Premium (as explained here https://blogs.technet.microsoft.com/ad/2014/04/29/deep-dive-password-reset-with-on-premise-sync-in-azure-ad-premium/) Microsoft has this functionality and they call it “number of contact methods required”, I was wondering if that is possible for MIM by either creating a custom authentication workflow or activity or maybe altering the behavior of Password Reset and Registration Portals by customizing them.
I’m afraid the functionality you see in Azure AD Premium SSPR is not possible out-of-the-box in MIM. I have customers with similar solutions that you want in place. But in order to get that in MIM you first need the user to decide the method they want to use, store that in MIM so that the correct MPR can apply to the user. A small custom website integrated with the SSPR Portal could do trick for you. As long as the “selection” is stored in MIM before the “normal” Registration Process is started it will work. I also have customers that do not use the SSPR built-in registration process, but rather collects the Mobile Phone and Private email to use and then MIM automatically register the user for SSPR using something like what i describe in this post http://konab.com/automate-sspr-registration-fim-2010-r2
Thank you very much, Kent. This information is very helpful for me.
I have a quick question about password management via FIM portals. I could not find a delivered way to enable users to change their password if they already know their existing password unless they go through the same process as if they forgot their password. Am I missing something? If it does not exist as a functionality, what would be your recommendations to implement password change functionality?
No FIM/MIM does not have PW change functionality, just PW reset or the new one in MIM called Account Unlock.
Most of my customers use ADFS and enable the Password Change feature in that to allow users to change password.
ADFS seems like the easiest and most straightforward solution for us as well. Thank you for your prompt response, Kent.
Your blog is just amazing!! Congrats…
I have now some trouble with OTP gates and until now I couldn’t find any kind of help.
The password reset/registration are just working properly with QA gate, but now I want to deploy some OTP gates.
After deploying Azure MFA service, I always receive a MFA authentification issue, because of the PhoneGatePhoneNumber attribute of my users are missing.
I couldn’t find any kind of description or blog post which are describing this kind of use case or issue.
This attribute is existing in the MIM Portal and the password registration process is just successfully, but I couldn’t see any kind of attributes regarding it, neither in MIM Portal nor in the AD.
I think you already have this experince with some kind of use case. 😉 would you give me the next ‘kick’ and/or imput to implement this service?
I would really appreciate it!
Thanks in advance for your answer & best regards, Ákos
So we have MIM in house and MIM SSPR running with MIM Portal and using the SSPR deployed. SSPR was designed to be available and used only on corporate network and not on the internet.
Question. If we have users who are trying to use the MIM SSP client deployed on their machine to initiate password reset on the internet (Not on corporate network) they get an error message. Is there a way to customize a message/prompt when users use the SSPR client on a machine to let them know it can only work on Corporate network?
Please help me as we have many users asking and I have no way of preventing launching from outside
As far as I know you cannot modify the client that way. When deploying SSPR client on laptops I recommend also using Direct Access or similar solution to allow SSPR client to “always” work.
Today I typically recommend using Azure AD SSPR and use the new client for that instead.
Will it be possible if we want to implement SSPR VIA SMS OTP AND EMAIL OTP BOTH AND Request you to please help us the way how we can do that
It’s possible to require any combination of authentication in the SSPR Auth workflow. You can have different requirements for different group of users. Just duplicate the builtin MPR/Set/WF.
Thanks for the reply Kent!
So if i understood you correctly we need to make a different set and MPR for SMS OTP and Email OTP and add one more authentication along with SMS OTP in the Authentication workflow.?
Also need to understand one more than can we use Office365 for sending Email OTP in MIM?
Yes on both. But to send using Office365, MIM Service (fimservice account) should have its mailbox in O365.
Hello, u have a great blog.
Just wanted to ask something, we use sspr on mim, with the private email to get the otp, it’s noticed that at times rarely we found a user who has the private email but while it’s entered, the system gives wrong answer but actually the system has the same which the user is entering. If we change it to something else it works fine but if we put it back it’s again errror..
Your recommendation is highly recommended