Home

Can I use Azure Self Service Password Reset with MFA Server?

%3CLINGO-SUB%20id%3D%22lingo-sub-447027%22%20slang%3D%22en-US%22%3ECan%20I%20use%20Azure%20Self%20Service%20Password%20Reset%20with%20MFA%20Server%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-447027%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20on%20prem%20AD%20with%20Office%20365.%26nbsp%3B%20We%20use%20Azure%20AD%20Connect%20to%20sync%20users.%26nbsp%3B%20We%20also%20use%20Microsoft%20MFA%20server.%26nbsp%3B%20We%20are%20starting%20to%20test%20some%20Azure%20AD%20features.%26nbsp%3B%20We%20would%20like%20to%20enable%20Azure%20self%20service%20password%20reset.%26nbsp%3B%20I%20noticed%20in%20order%20for%20a%20user%20to%20reset%20their%20password%20they%20need%20to%20provide%20an%20authentication%20method.%26nbsp%3B%20MFA%20is%20offered.%26nbsp%3B%20Can%20MFA%20server%20be%20used%20for%20this%20or%20is%20Azure%20MFA%20required%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-447027%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-450067%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20I%20use%20Azure%20Self%20Service%20Password%20Reset%20with%20MFA%20Server%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-450067%22%20slang%3D%22en-US%22%3E%3CP%3ENope%2C%20just%20the%20methods%20listed%20here%20(all%20for%20Azure%20AD)%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-sspr-howitworks%23authentication-methods%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-sspr-howitworks%23authentication-methods%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-451688%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20I%20use%20Azure%20Self%20Service%20Password%20Reset%20with%20MFA%20Server%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-451688%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F271366%22%20target%3D%22_blank%22%3E%40brentmattson%3C%2FA%3EIt's%20correct%20that%20you%20cannot%20use%20SSPR%20with%20on-premises%20MFA%20server.%20However%2C%20if%20you're%20currently%20using%20ADFS%202012%20R2%20or%20above%2C%3CA%20href%3D%22https%3A%2F%2Fblogs.msdn.microsoft.com%2Fsamueld%2F2015%2F05%2F13%2Fadfs-2012-r2-now-supports-password-change-not-reset-across-all-devices%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%20there%20is%20a%20password%20change%20option%20that%20can%20be%20enabled%3C%2FA%3E.%20This%20can%20be%20coupled%20with%20the%20additional%20ADFS%20MFA%20provider%20that%20on-premises%20MFA%20can%20provide.%20My%20recommendation%20would%20be%20to%20explore%20migration%20to%20Azure%20AD%20Premium%20for%20MFA%2C%20though%20there%20may%20be%20cases%20you%20have%20for%20using%20on-premises%20MFA%20server%20that%20AADP%20cannot%20fulfill%20(LDAP%2FRADIUS%20is%20the%20most%20common%20one).%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
brentmattson
Occasional Contributor

We have on prem AD with Office 365.  We use Azure AD Connect to sync users.  We also use Microsoft MFA server.  We are starting to test some Azure AD features.  We would like to enable Azure self service password reset.  I noticed in order for a user to reset their password they need to provide an authentication method.  MFA is offered.  Can MFA server be used for this or is Azure MFA required?

2 Replies

@brentmattsonIt's correct that you cannot use SSPR with on-premises MFA server. However, if you're currently using ADFS 2012 R2 or above, there is a password change option that can be enabled. This can be coupled with the additional ADFS MFA provider that on-premises MFA can provide. My recommendation would be to explore migration to Azure AD Premium for MFA, though there may be cases you have for using on-premises MFA server that AADP cannot fulfill (LDAP/RADIUS is the most common one). 

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies