External IdP with own SSPR page for password changes. Need option to disable user password change.

%3CLINGO-SUB%20id%3D%22lingo-sub-2728423%22%20slang%3D%22en-US%22%3EExternal%20IdP%20with%20own%20SSPR%20page%20for%20password%20changes.%20Need%20option%20to%20disable%20user%20password%20change.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2728423%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20tool%20provides%20user%20provisioning%20to%20Active%20Directory%20and%20Azure%20Active%20Directory%2C%20among%20others.%20So%20we%20don't%20use%20Azure%20AD%20Connect%2Ffederation%20or%20anything%20like%20that.%20This%20is%20a%20use%20case%20that%20is%20used%20by%20many%20companies.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBecause%20our%20own%20IdP%20is%20leading%2C%20password%20changes%20for%20users%20also%20take%20place%20in%20the%20tooling%20itself%20(portal).%20It%20is%20therefore%20important%20that%20users%20do%20not%20change%20their%20passwords%20in%20Azure%20themselves%2C%20but%20in%20our%20IdP%20portal.%20If%20they%20do%2C%20it%20will%20causing%20disruptions%20for%20the%20user.%20Because%20we%20provide%20even%20more%20target%20systems%20with%20user%20provisioning%2C%20the%20new%20password%20will%20not%20be%20set%20in%20the%20other%20environments.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20to%20prevent%20users%20from%20changing%20their%20passwords%20in%20the%20various%20Azure%2FO365%20portals%20such%20as%20https%3A%5C%5Cmyaccount.microsoft.com%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20example%2C%20in%20Active%20Directory%2C%20there%20is%20a%20PowerShell%20option%20%22set-aduser%20-CannotChangePassword%22.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2728423%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

This tool provides user provisioning to Active Directory and Azure Active Directory, among others. So we don't use Azure AD Connect/federation or anything like that. This is a use case that is used by many companies.

 

Because our own IdP is leading, password changes for users also take place in the tooling itself (portal). It is therefore important that users do not change their passwords in Azure themselves, but in our IdP portal. If they do, it will causing disruptions for the user. Because we provide even more target systems with user provisioning, the new password will not be set in the other environments.

 

Is there a way to prevent users from changing their passwords in the various Azure/O365 portals such as https:\\myaccount.microsoft.com?

 

For example, in Active Directory, there is a PowerShell option "set-aduser -CannotChangePassword".

0 Replies