Deploy password reset without requiring end-user registration

To deploy Azure Active Directory (Azure AD) self-service password reset (SSPR), authentication data needs to be present. Some organizations have their users enter their authentication data themselves. But many organizations prefer to synchronize with data that already exists in Active Directory. The synced data is made available to Azure AD and SSPR without requiring user interaction if you:

To work properly, phone numbers must be in the format +CountryCode PhoneNumber, for example, +1 4255551234.

Note

Password reset does not support phone extensions. Even in the +1 4255551234X12345 format, extensions are removed before the call is placed.

Fields populated

If you use the default settings in Azure AD Connect, the following mappings are made:

On-premises Active Directory Azure AD Azure AD authentication contact info
telephoneNumber Office phone Alternate phone
mobile Mobile phone Phone

Security questions and answers

The security questions and answers are stored securely in your Azure AD tenant and are only accessible to users via the SSPR registration portal. Administrators can't see or modify the contents of another users' questions and answers.

What happens when a user registers

When a user registers, the registration page sets the following fields:

  • Authentication Phone
  • Authentication Email
  • Security Questions and Answers

If you have provided a value for Mobile phone or Alternate email, users can immediately use those values to reset their passwords, even if they haven't registered for the service. In addition, users see those values when they register for the first time, and they can modify them if they want to. After they register successfully, these values will be persisted in the Authentication Phone and Authentication Email fields, respectively.

Set and read the authentication data through PowerShell

The following fields can be set through PowerShell:

  • Alternate email
  • Mobile phone
  • Office phone: Can only be set if you're not synchronizing with an on-premises directory

Use PowerShell version 1

To get started, you need to download and install the Azure AD PowerShell module. After you have it installed, you can use the steps that follow to configure each field.

Set the authentication data with PowerShell version 1

Connect-MsolService

Set-MsolUser -UserPrincipalName user@domain.com -AlternateEmailAddresses @("email@domain.com")
Set-MsolUser -UserPrincipalName user@domain.com -MobilePhone "+1 1234567890"
Set-MsolUser -UserPrincipalName user@domain.com -PhoneNumber "+1 1234567890"

Set-MsolUser -UserPrincipalName user@domain.com -AlternateEmailAddresses @("email@domain.com") -MobilePhone "+1 1234567890" -PhoneNumber "+1 1234567890"

Read the authentication data with PowerShell version 1

Connect-MsolService

Get-MsolUser -UserPrincipalName user@domain.com | select AlternateEmailAddresses
Get-MsolUser -UserPrincipalName user@domain.com | select MobilePhone
Get-MsolUser -UserPrincipalName user@domain.com | select PhoneNumber

Get-MsolUser | select DisplayName,UserPrincipalName,AlternateEmailAddresses,MobilePhone,PhoneNumber | Format-Table

Read the Authentication Phone and Authentication Email options

To read the Authentication Phone and Authentication Email when you use PowerShell version 1, use the following commands:

Connect-MsolService
Get-MsolUser -UserPrincipalName user@domain.com | select -Expand StrongAuthenticationUserDetails | select PhoneNumber
Get-MsolUser -UserPrincipalName user@domain.com | select -Expand StrongAuthenticationUserDetails | select Email

Use PowerShell version 2

To get started, you need to download and install the Azure AD version 2 PowerShell module. After you have it installed, you can use the steps that follow to configure each field.

To quickly install from recent versions of PowerShell that support Install-Module, run the following commands. (The first line checks to see if the module is already installed.)

Get-Module AzureADPreview
Install-Module AzureADPreview
Connect-AzureAD

Set the authentication data with PowerShell version 2

Connect-AzureAD

Set-AzureADUser -ObjectId user@domain.com -OtherMails @("email@domain.com")
Set-AzureADUser -ObjectId user@domain.com -Mobile "+1 2345678901"
Set-AzureADUser -ObjectId user@domain.com -TelephoneNumber "+1 1234567890"

Set-AzureADUser -ObjectId user@domain.com -OtherMails @("emails@domain.com") -Mobile "+1 1234567890" -TelephoneNumber "+1 1234567890"

Read the authentication data with PowerShell version 2

Connect-AzureAD

Get-AzureADUser -ObjectID user@domain.com | select otherMails
Get-AzureADUser -ObjectID user@domain.com | select Mobile
Get-AzureADUser -ObjectID user@domain.com | select TelephoneNumber

Get-AzureADUser | select DisplayName,UserPrincipalName,otherMails,Mobile,TelephoneNumber | Format-Table

Next steps