ADFS 2012 R2 now supports Password Change (not reset) across all devices

Howdy everyone!

Today I’m going to blog about password change feature in ADFS. This is not a well-known feature but a very useful one for many organizations.

Password change is the ability for a user (in Active Directory Domain Services) to change their password with knowledge of their old password. Note that this is not password reset where the user does not know their password and needs to use an alternate credential (such as phone or security questions) to reset their password. One such example is Azure Active Directory that provides Self-Service Password Reset capabilities in the cloud that make this simple for end users.  Traditionally users would use their windows domain joined devices inside their corporate devices or they would change password through their on-premises OWA system that provided this functionality. However, with moving to Office 365 and the advent of multiple devices accessing company resources, users cannot really use those same mechanisms anymore. Employees are also not always connected to the corporate network when their password need to be changed which can also prove to be challenging and a help desk call generator.

The feature in ADFS was meant to address the above issues. The use cases that we targeted were the following:

  • Expired Password: User is accessing applications such as Office 365 and is logging onto ADFS using their expired password. At this time, ADFS will interrupt the login flow (when password change is enabled) and ask the user to change their password. Once they change their password, they are seamlessly taken back to the login page, enter their changed password and subsequently taken to the application that they were logging into.
  • User Must Set Password at next login: Many times when you have a new employee or when a password is reset through a password reset mechanism such as the SSPR feature in Azure AD, users need to change their passwords at the next login into AD.
  • Change Password when passwords are soon to expire: We targeted this case specifically for Office 365 applications where ADFS can notify Office apps that a password is set to expire with 14 days (not configurable) and notify the user and now the user can just click on the change password link when this notification appears and can change their password via ADFS.
  • Change Password any time by directly going to the password change URL: This is simply a case where the user can bookmark the change password URL and just access this to change their password in AD.

Enabling Change Password in ADFS

By default, this functionality is disabled in ADFS. Change password looks just like another endpoint in ADFS and all you need to do is enable the endpoint. You can use the MMC snapin to enable this.

 

You can also do this via PSH using the Set-AdfsEndpoint cmdlet.

 

Once enabled, users can always access the change password page via https://adfs.contoso.com/adfs/portal/updatepassword/. It would look like this

 

 

Note: ADFS 2012 R2 required authenticated/registered devices (a.k.a ‘workplace join’) to allow the change of passwords. Based on customer feedback, we have relaxed this constraint and allow this from all devices. You will need to apply 3035025 hotfix on all the ADFS servers.

Enabling password expiry notification

This is a use case that is specifically targeted towards logging into Office 365. Enabling this requires a modification to the ‘issuance’ claims rules for the relying party trust that represents Azure Active Directory. If you used AAD PSH to create this RP trust, you will see this as the “Office 365 Identity Platform” RP trust.

All you need to do is to add the following claims rule to the issuance claims when sending tokens to Azure AD/Office 365.

c1:[Type == "https://schemas.microsoft.com/ws/2012/01/passwordexpirationtime"]

=> issue(store = "_PasswordExpiryStore", types = ("https://schemas.microsoft.com/ws/2012/01/passwordexpirationtime", "https://schemas.microsoft.com/ws/2012/01/passwordexpirationdays", "https://schemas.microsoft.com/ws/2012/01/passwordchangeurl"), query = "{0};", param = c1.Value);

With the above rule we are sending 3 additional claims

  • Password Expiration Time: This is the time when the user’s password will expire
  • Password Expiration Days: This is the number of days remaining prior to the password expiry
  • Password Change URL: This is the URL of the password change URL from ADFS

 

Hope you found this blog post useful. Feel free to post comments on this blog post to ask questions or leave feedback. You can also tweet to @MrADFS.

--Sam