Forum Discussion
Self Service Password Reset with Password Writeback
I am looking into exploring the option for Self Service Password Resets on Office 365, and since this is a hybrid I am going to enable password writeback. Everything works great but I have a question regarding the password writeback.
What I have found is that once Password Writeback is enabled you don't necessarily need to be in the group to allow for SSPR. Therefore if you are able to logon to the account successfully, you can reset the password without answering any security questions, MFA, etc.
I know you can restrict who can use SSPR, but is there a way to restrict who can reset their password via the portal?
A few additional notes:
- Most (but not all) accounts are using an E3 license. Some only have a basic e-mail only license, or no license at all.
- MFA will be enabled but there are accounts where this won't work being a shared account. Those are the accounts I am concerned where someone can logon reset the password and have access to the local domain.
Any thoughts or feedback would be appreciated.
3 Replies
- Here is my experience. I am 100% in the cloud, office 365, no hybrid. First I set up MFA on my shared account. Second, I block logon to my shared accounts. Anyone who has been granted DELEGATE ACCESS can access this shared account from any Outlook session (cell phone, web browser, outlook on the desktop).
Technically MFA is nonexistent when an account is blocked., But I do the MFA in the off chance a malicious attempt enables this account.Thanks for the info everyone. Sounds like the best workaround is to just enable MFA for everyone.
Although I am wondering if you can use Active Directory delegation to restrict the password writeback, but my concern would be that it could cause other issues.
Password change is different from SSPR, and no you cannot restrict it.
