Changing Your Password with Office 365 FAQ
I get asked by a lot of customers around what I can do with changing the password in the cloud via Office 365. It is pretty confusing with all the different variables and it took me a bit to parse through the scenarios myself. I wrote a quick FAQ to help with your understanding:
Can I change my password in Office 365 if I know my password?
This depends on many factors such as where is the password sourced. If you have a cloud only account (e.g. Dirsync only with no password sync) you can change your password in the cloud as long as you know your existing password.
You will receive this when you want to change your password in OWA with a cloud only identity:
If you have an ADFS or Dirsync with Password sync identity it will not allow you to change your password in the cloud. You will receive:
Can I change my password in Office 365 if I forgot my password?
Currently, only Office 365 administrators can conduct self-service password reset (SSPR) on forgotten passwords for cloud only identities (note: it’s a good best practice to have admin cloud only identities in case ADFS or something occurs locally).You will receive an option such as this as an administrator:
Update as of 2-17-15 there is now SSPR for cloud only identities see here.
If you attempt to change your forgotten password as a standard cloud only (managed identity) account you receive this screen:
The only option for standard cloud only accounts to change a forgotten password is to call into their IT helpdesk for a password reset.
If you attempt to change your forgotten password as an ADFS or Dirsync with Password sync active directory identity you will receive because the password is sourced in your local AD:
Is there a way I can change my local AD password in Office 365 and have it change my local AD password also?
Yes, if you purchase Azure AD Premium there is a new two-way password sync option available to you. This will allow password changes to occur in the cloud and then sync those password changes down to your local AD so the passwords are in sync.
See here for a feature matrix on Azure AD Premium vs. Azure AD free (comes with Office 365).
See here for guidance on how to enable Two-way password sync with Office 365 and Azure AD Premium.
Two way password reset in action with Azure AD Premium:
How do I change my password in Office 365 if I know it and I have ADFS or Dirsync with Password sync?
For this scenario, IT will have to provide an on premises mechanism to change your local AD password (e.g. ADFS in 2012 R2 now has password change page for workplace joined devices, change directly on a domain joined workstation, leverage a web page for self service, helpdesk call, etc)
new ADFS 2012 R2 password change web page
Alternatively, if you obtain an Azure AD Premium license you can enable two-way password sync (see above for enablement steps) from cloud to on prem Active Directory.
How do I change my password in Office 365 if I forgot my password and I have ADFS or Dirsync with Password sync?
For this scenario, IT will have to provide an on premise mechanism to change your local forgotten password (e.g. leverage a web site for self service reset such as with FIM 2010 R2 or help desk call).
FIM 2010 R2 SSPR on site option
Alternatively, if you obtain an Azure AD Premium license you can enable SSPR and two way password sync (see above for enablement steps) from cloud to on prem Active Directory.
Can I change the brand the password Login page for Office 365/Azure AD and the Self Service password reset page?
If you have a cloud only identity or a dirsynced with password synced identity you can brand the login page with a custom color/logo and contact information using Azure AD Basic or Azure AD Premium license. See here: Update as of 2-17-15 there is now Branded Login feature available for all Office 365 customers see here.
If I have an ADFS login for Office 365, you can also brand the ADFS login page. See steps here:
ADFS with Windows Server 2012 R2 custom branded login page
Can I use my local Active Directory Password to access Office 365 services?
Yes, you can if you have enabled Dirsync with Password sync or if you enable ADFS federated login. Both scenarios will allow you to log into Office 365 with a local Active Directory Password. One is a password copy in the cloud and one is a federated identity using local AD for authentication.
See here for more information on Dirsync with Password sync.