ADFS 2012 R2 now supports Password Change (not reset) across all devices


Howdy everyone!

Today I’m going to blog about password change feature in ADFS. This is not a well-known feature but a very useful one for many organizations.

Password change is the ability for a user (in Active Directory Domain Services) to change their password with knowledge of their old password. Note that this is not password reset where the user does not know their password and needs to use an alternate credential (such as phone or security questions) to reset their password. One such example is Azure Active Directory that provides Self-Service Password Reset capabilities in the cloud that make this simple for end users.  Traditionally users would use their windows domain joined devices inside their corporate devices or they would change password through their on-premises OWA system that provided this functionality. However, with moving to Office 365 and the advent of multiple devices accessing company resources, users cannot really use those same mechanisms anymore. Employees are also not always connected to the corporate network when their password need to be changed which can also prove to be challenging and a help desk call generator.

The feature in ADFS was meant to address the above issues. The use cases that we targeted were the following:

  • Expired Password: User is accessing applications such as Office 365 and is logging onto ADFS using their expired password. At this time, ADFS will interrupt the login flow (when password change is enabled) and ask the user to change their password. Once they change their password, they are seamlessly taken back to the login page, enter their changed password and subsequently taken to the application that they were logging into.
  • User Must Set Password at next login: Many times when you have a new employee or when a password is reset through a password reset mechanism such as the SSPR feature in Azure AD, users need to change their passwords at the next login into AD.
  • Change Password when passwords are soon to expire: We targeted this case specifically for Office 365 applications where ADFS can notify Office apps that a password is set to expire with 14 days (not configurable) and notify the user and now the user can just click on the change password link when this notification appears and can change their password via ADFS.
  • Change Password any time by directly going to the password change URL: This is simply a case where the user can bookmark the change password URL and just access this to change their password in AD.

Enabling Change Password in ADFS

By default, this functionality is disabled in ADFS. Change password looks just like another endpoint in ADFS and all you need to do is enable the endpoint. You can use the MMC snapin to enable this.

 

You can also do this via PSH using the Set-AdfsEndpoint cmdlet.

 

Once enabled, users can always access the change password page via https://adfs.contoso.com/adfs/portal/updatepassword/. It would look like this

 

 

Note: ADFS 2012 R2 required authenticated/registered devices (a.k.a ‘workplace join’) to allow the change of passwords. Based on customer feedback, we have relaxed this constraint and allow this from all devices. You will need to apply 3035025 hotfix on all the ADFS servers.

Enabling password expiry notification

This is a use case that is specifically targeted towards logging into Office 365. Enabling this requires a modification to the ‘issuance’ claims rules for the relying party trust that represents Azure Active Directory. If you used AAD PSH to create this RP trust, you will see this as the “Office 365 Identity Platform” RP trust.

All you need to do is to add the following claims rule to the issuance claims when sending tokens to Azure AD/Office 365.

c1:[Type == "http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime"]

=> issue(store = "_PasswordExpiryStore", types = ("http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime", "http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays", "http://schemas.microsoft.com/ws/2012/01/passwordchangeurl"), query = "{0};", param = c1.Value);

With the above rule we are sending 3 additional claims

  • Password Expiration Time: This is the time when the user’s password will expire
  • Password Expiration Days: This is the number of days remaining prior to the password expiry
  • Password Change URL: This is the URL of the password change URL from ADFS

 

Hope you found this blog post useful. Feel free to post comments on this blog post to ask questions or leave feedback. You can also tweet to @MrADFS.

--Sam


Comments (23)

  1. Anonymous says:

    Hello,

    can you please guive us more infos on how to enable password expiry notification, I have configured it in ADFS Claims but I still don't receive notification, is there any thing to be done on Office 365?

    thanks

  2. Hi Nizar, these claims only go out if the password is to expire within 14 days. Was the password going to expire within 14 days? If so, could you take a fidder (http://www.telerik.com/.../fiddler) trace of the traffic and send it to samueld@microsoft.com. If we see the claims there, we need to check to see if we had a regression in Azure AD or Office.

    Thanks

    /Sam

  3. Ken H says:

    Does the password change mechanism work correctly if AlternateLoginID is in use on ADFS?

    1. Andy K says:

      Hi Ken H , Did you ever get a reply to your question as I might have to look at this scenario myself. Thanks Andy

  4. Joe C says:

    Is it possible to configure Office 365 to send the user to the ADFS password change URL when they click "Change password" in their profile settings, rather than the "you can't change your password here." error page that appears by default?

    -Joe

  5. Jim W says:

    Is it possible to provided a return url in the query string so that the user is sent back to our website after changing their password?

  6. Stefan Denninger says:

    Hi Billy,

    the hotfix is not needed any more! If your system is patched 😉

    http://www.acpcloud.rocks ;))

  7. Paul S says:

    I too would like to find out how to automatically redirect the user back to the originating site after they have navigated to the ADFS provided Update password page. The desired flow is as follows:

    1. User is logged into website, and clicks on Update Password (redirects user to ADFS Update PW page) - What should we pass here - a query string? If so, in what format.

    2. User is redirected to Update Password page.

    3. User updates their password, or clicks on Cancel (both scenarios can occur).

    4. In either case, user should be brought back to the originating website (at which point where they may be redirected to the sign in page to authenticate using the new credentials, and then redirected back to the original website. This latter part is provided out of the box by the ADFS sign in page.  However, the redirection back to the original website does not seem to be available out-of-box on the Update password page. How can this be accomplished.  Is there any inbuilt mechanism that provides this capability. If not, what have people implemented to address this very common flow.  Btw, I am using ADFS hosted by us (IaaS in an Azure data center).

    Thanks,

  8. Robert W says:

    Great post, Sam!

    Thank you very much 🙂

  9. James says:

    I would like to append the domain for the user like on the sign-on page.  Any ideas?

  10. Paras says:

    I have implemented this and observed that Users are able to change their password on Internal Network but when they are on External Network, Users can access the Website but when they try to change the password, Users are getting reported that they cant change their password.

    Is this expected behavior?

  11. Robert W says:

    "I would like to append the domain for the user like on the sign-on page."

    James, I'm very interested in this too!!!

    Our Sign In page does this using onload.js as documented by Microsoft.

    The domainSAMAccountName that the user enters is automatically transferred to the Update Password page when the user is automatically redirected to it but when a users goes directly to the Update Password page the placeholder says "someone@example.com" and the user needs to enter either UPN or domainSAMAccountName. I've tried to change this using the same onload.js file but so far without any success.

    1. Jack says:

      To change the placeholder, where it says "someone@example.com" to display "domain\user.name", add the following to your onload.js:

      var userNameInput = document.getElementById ("userNameInput");
      userNameInput.placeholder = "domain\\user.name";

      Note, you need to use double \ or it will not work.

    2. Andrew says:

      To add the domain to the change password page modify the onload.js file.

      if (typeof UpdatePassword != 'undefined') {
      UpdatePassword.submitPasswordChange = function () {
      var u = new InputUtil();
      var e = new UpdErrors();

      var userName = document.getElementById(UpdatePassword.userNameInput);
      var oldPassword = document.getElementById(UpdatePassword.oldPasswordInput);
      var newPassword = document.getElementById(UpdatePassword.newPasswordInput);
      var confirmNewPassword = document.getElementById(UpdatePassword.confirmNewPasswordInput);

      if (!userName.value || !userName.value.match('[@\\\\]')) {
      var userName = 'contoso.com\\' + userName.value;
      document.forms['updatePasswordForm'].userNameInput.value = userName;
      }

      if (!oldPassword.value) {
      u.setError(oldPassword, e.oldPasswordEmpty);
      return false;
      }

      if (!newPassword.value) {
      u.setError(newPassword, e.newPasswordEmpty);
      return false;
      }

      if (!confirmNewPassword.value) {
      u.setError(confirmNewPassword, e.confirmNewPasswordEmpty);
      return false;
      }

      if (newPassword.value !== confirmNewPassword.value) {
      u.setError(confirmNewPassword, e.mismatchError);
      return false;
      }

      var error = document.getElementById('error');
      error.innerHTML = '';
      return true;
      };
      }

  12. Andrew says:

    Has anyone worked out how to redirect to the original URL as mentioned by Paul S?

    This is what we required as well.

  13. Leiming says:

    Was anyone able to configure the password expiration email with federated domain? Is that supported? And with wsfed, I am not able to view the claim value from Fiddler. What's the best way to check whether the claim has been sent to Office 365? Thanks!

  14. Shaun says:

    Good Day Sam

    Great Post thank you . after enabling the feature when we go to the change password page are redirected to the error page.

    An error occurred

    An error occurred. Contact your administrator for more information.

    Error details•Activity ID: 00000000-0000-0000-0400-0080000000f2

    •Error time: Thu, 04 Feb 2016 05:00:58 GMT

    •Cookie: enabled

    •User agent string: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729)

    1. Dean Gross says:

      Shaun, we are having the same problem as you were. Did you ever get it fixed? If so, how?

  15. Andrew says:

    What is the purpose of the cancel button? Should this redirect back to the sign in page?
    When i click on the cancel button it just clears my entered in password.

  16. aahmad says:

    Are you able to put this behind multi factor auth so users are required to pass a second factor before changing their password?

    1. Hi, we don't have additional enforcement controls for this outside of knowing your prior password. We'll consider this for the next version.

  17. amitkali says:

    Hi Sam,

    Can we limit this feature to a set of users/group ? We don't everyone should be able to change password, is that possible via claim rules?

    Thanks
    Amit Kalia

    1. Hi Amit, we don't have any way to control this.

Skip to main content