Forum Discussion
Verify remote user identity
Hi Everyone, Right now I am looking for a solution to verify the identity of remote users when they contact Service Desk to ask for password reset. More than ask security questions, do you kno...
How about SSPR instead?
https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr
https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr
- Works for passwords... so long as MFA is setup. There doesn't seem to be any real solution provided by Microsoft to verify the identity of users who need to change MFA method if their most recent registered method is no longer usable or available.
Question remains-- how to validate users calling in? - Thanks,
Do you know if the use of SSPR apply if the user forget the Windows Log In password ?- If you’re referring to on-premises in hybrid environment there’s a password writeback feature https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writeback?source=recommendations
- As Christian mentions you can use SSPR for this. But we went a step further. We created a logic app connected to the incident management system. Whenever a user loses access to their MFA device or other scenario the helpdesk can trigger this logic app by creating a ticket. This sends out a TAP to the users's SSPR email address which is their private email address. Using the "authentication administrator" role the logic app could only create a TAP for a non admin users preventing privilege escalation attacks. Additionally the helpdesk has no permissions to view or edit these emails they can only trigger the logic app by creating an incident.
