Across the globe, first line support teams spend swathes of their time dealing with users needing a password reset or an account unlock but wouldn’t it be great to save time for the end-user, improve their experience for this day-to-day, repeatable task, and free up time on your Service Desk to deal with the bigger fish you have to fry? You could even make the process more secure too!
We all forget our passwords from time-to-time and some users will encounter account lockouts more often than others. Each time this happens the end-user needs to call the Service Desk to have it fixed either by resetting their password or by manually unlocking the account. The process may be fast enough but, according to TotalJobs, for April 2018, the average UK salary for a 1st line Service Desk technician is £21,000. What if you could pay a fraction of that cost and automate the process of password resets? How much better could the Service Desk support your users without the burden of this task?
If you use Office 365 or Microsoft Azure services, did you know that there is a self-service password reset service you could be using that already does everything we’ve said above and more? Did you also know that if you are a cloud-only customer that this could cost you nothing – yep, completely free.
What can the self-service password reset service offer?
Simply put, the service offers users the ability to be able to reset their own password and, if you give them the option, unlock their account. To do this securely, users set-up security questions and answers and secondary contact numbers one-time when they do know their password. The next time they forget, they use the service, answer some questions or maybe respond to a text message, and their password is reset for them.
If your users use Windows 10 on their laptops and desktops this can be integrated into the Windows logon experience so that users can use their own PC and reset their password from the lock screen: something that other third-party solutions lack and require you to use another PC to access the service.
How much does the service cost?
If you are a cloud-only user of Office 365 and Microsoft Azure, the self-service password reset service is free to use. If you are a hybrid customer, a customer who is using identity management to synchronise user accounts from Active Directory or another source into Azure Active Directory for the cloud, then you will need the right license to enable the password writeback feature.
The password writeback feature is available for Azure Active Directory Premium customers. If you have purchased Enterprise Mobility + Security E3 or E5 licenses for your users, this includes Azure Active Directory Premium. Azure Active Directory Premium offers many features aside from password writeback such as Conditional Access, Group-based License Assignment, Dynamic Group Membership, and more. If you haven’t looked at it before, we recommend you do.
For information on Azure Active Directory Premium visit https://docs.microsoft.com/en-us/azure/active-directory/active-directory-whatis. For information about Enterprise Mobility + Security, take a look at https://www.microsoft.com/en-gb/cloud-platform/enterprise-mobility-security.
How secure is it?
When we talk about the security of services like self-service password reset, we like to look at your current process? How is the end-user password reset today? Is it done by an automated service or a person? Is the password set at random by an algorithm or script or does a Service Desk team member pick something out of their head at that moment in time? Do you validate the identity of the person on the phone or do you work on trust that because the internal phone system says Dave is calling that Dave is on the phone?
Self-service password reset in Azure Active Directory is fully automated. No people are involved in the reset process except the affected user which means there is no man-in-the-middle such as a Service Desk analyst making a note of the password they set. The user identity is verified using responses to security questions, responding to text messages sent to a predefined phone number or taking a call on a pre-configured phone number making it extremely hard for a third-party to interfere. The connection to the service is secured using a TLS encrypted connection which means that the new password that is generated is not sent over any networks in the clear.
How do we implement it?
The good news is that whether you are a cloud-only user of Azure Active Directory or Office 365, or whether you are a hybrid customer synchronising your identities with Active Directory on-premises, it’s easy to set-up and get up and running. Typically, the rollout is a two-stage process where you get users to start populating their security question responses ready to use the service and then, after a period of time, allowing users to start using the service.
Arcible can assist you in setting up self-service password reset regardless of your current configuration. If you are interested in Enterprise Mobility + Security or how to make better use of Azure Active Directory we can help you figure out what you need to accomplish and the best way to purchase any licenses you need too.