Forum Discussion

Markku Jaala's avatar
Markku Jaala
Copper Contributor
Mar 02, 2018

Azure AD self-service password reset - Group (SSPR)?

Hi, Do anyone know what kind of group(s) are valid here. Synced Universal/Global Security Group seems to work but how about subgroups or Azure Dynamic Secure group? Documentation of SSPR said "Only...
Azure Active Directory (AAD)
steve_elliott's avatar
steve_elliott
Brass Contributor
Mar 29, 2019

We took the approach of using a dynamic security group, with the members populated based on the fact a user had a EMS licence assigned (licence requirement for SSPR with AD writeback)

 

 

  • steve_elliott's avatar
    steve_elliott
    Brass Contributor
    Mar 29, 2019

    For some reason I'm not able to reply to the private message I got asking how we did this so will post here :

     

    Hi Dave, 

     

    Sure no worries. We use a dynamic security cloud only group. And then configured the advanced rule with the below. Once it was populating correctly we just assigned that user group permissions to do SSPR which would write back to our local AD. When we designed it this way it means we don't have to keep ontop of populating the security group who can do SSPR, as soon as one of our users are assigned the EMS licence, they become a member of the group and have permissions for SSPR / Writeback :)

     

    This was the code for the advanced rule scope:

     

    user.assignedPlans -any (assignedPlan.servicePlanId -eq "c1ec4a95-1f05-45b3-a911-aa3fa01094f5" -and assignedPlan.capabilityStatus -eq "Enabled")

     

    Hope this helps. 

Resources