Advanced Customization of ADFS for Cloud Usage (Part 4 of 4)

  • Article

Advanced Customization of ADFS for Cloud Usage

Written by Kevin Saye

This is part 4 of a 4 part blog about customizing Microsoft’s ADFS for advanced user scenarios. I will break down this series into the following parts:

Part 1 – Customizing the Login Page

Customizing the Login Page for advanced features. We will add icons and have automated presentation logic.

Part 2 – Using Cloud or on Premises MFA

What changes happen in the claims and how to control where MFA takes place.

Part 3 – User Certificates

Enabling enrollment and usage of user certificates for ADFS.

Part 4 – Expired passwords and locked out accounts

How to detect and address users with expired passwords or locked out accounts.

 

Part 4 – Expired passwords and locked out accounts

Expired Passwords are a part of life. For corporate users, they often log in using Windows, and Windows will give them (by default) a 14 day warning. ADFS, because it is exposed to the hostile internet, is not so friendly by default.

Windows Server 2012 R2 ADFS addresses passwords that expired, as show below:

ADFS, for security reasons, does not address account lockout, as shown below:

 

 

Because this error message above can be for many reasons or could be a brute force attack, addressing this error can vary based on company policy.

If you want to enable the end user to reset their password using Azure Active Directory Premium’s Reset Password (https://passwordreset.microsoftonline.com) we can notify or automatically redirect the user to the reset site.

Using JavaScript, we can detect the “errorText” is not null and take action. 

My example below ask the user if they need help resetting their password and will redirect them to the Reset Password Site. You can modify as you see fit.

 

 

The HTML I used to set this up is included below:

<script>function resetPassword()

  { if(document.getElementById("errorText").innerHTML != "")

    { if (confirm("Would you like to reset your password?") == true)

       { location.href='https://passwordreset.microsoftonline.com/?whr=kevinsay.scd365.net'; }

    };

  };

  window.onload=resetPassword;

</script>

The PowerShell command to configure this is:

Set-AdfsGlobalWebContent -SignInPageDescriptionText "<script>function resetPassword() { if(document.getElementById(""errorText"").innerHTML != """") { if (confirm(""Would you like to reset your password?"") == true) { location.href='https://passwordreset.microsoftonline.com/?whr=kevinsay.scd365.net'; } }; }; window.onload=resetPassword; </script>"