SOLVED

Office 365 Self-Service Password Reset without having Exchange Online?

%3CLINGO-SUB%20id%3D%22lingo-sub-1571428%22%20slang%3D%22en-US%22%3EOffice%20365%20Self-Service%20Password%20Reset%20without%20having%20Exchange%20Online%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1571428%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20There%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20trying%20to%20setup%20a%20self-service%20password%20reset%20for%20our%20users%20residing%20in%20on-premises%20AD%20but%20we%20do%20not%20have%20Exchange%20online.%20Is%20it%20even%20possible%20for%20us%20to%20setup%20SSPR%20with%20Azure%20AD%20Connect%20without%20involving%20Exchange%20at%20all%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1571428%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1571885%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Self-Service%20Password%20Reset%20without%20having%20Exchange%20Online%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1571885%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F751838%22%20target%3D%22_blank%22%3E%40Johnv735%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%2C%20Exchange%20is%20not%20relevant%20to%20SSPR.%20As%20long%20as%20you%20are%20syncing%20your%20on-premises%20AD%20to%20Azure%20AD%20with%20Azure%20AD%20Connect%2C%20and%20you%20have%20licences%20as%20per%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-sspr-licensing%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-sspr-licensing%3C%2FA%3E%26nbsp%3B%20then%20you%20should%20be%20good%20to%20go%20with%20this%20feature.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1571912%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Self-Service%20Password%20Reset%20without%20having%20Exchange%20Online%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1571912%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F751838%22%20target%3D%22_blank%22%3E%40Johnv735%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%2C%20it%20is%20possible.%20If%20you%20want%20your%20on-prem%20users%20to%20be%20able%20to%20reset%20their%20passwords%20via%20the%20SSPR%20(i.e.%20Office%20365%20synchronises%20back%20to%20the%20on-prem%20AD%20)%20then%20you%20will%20need%20an%20Azure%20P1%20licence%20for%20that%20user.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20SSPR%20included%20in%20the%20Free%20version%20of%20Azure%20AD%20does%20not%20write-back%20to%20on-prem%2C%20it%20only%20changes%20the%20password%20in%20365%20-%20the%20next%20time%20AzureAD%20synchronises%20that%20password%20is%20changed%20back%20to%20the%20AD%20password.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20is%20my%20understanding%20that%20Exchange%20Online%20is%20not%20a%20pre-requisite%20for%20this%20.%20You%20may%20have%20seen%20this%20already%2C%20but%20this%20goes%20into%20a%20bit%20more%20detail%20about%20the%20functionality.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fpricing%2Fdetails%2Factive-directory%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fpricing%2Fdetails%2Factive-directory%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20this%20helps%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMark%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1572025%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Self-Service%20Password%20Reset%20without%20having%20Exchange%20Online%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1572025%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20reply!%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F383653%22%20target%3D%22_blank%22%3E%40HidMov%3C%2FA%3E%26nbsp%3BHere%20is%20the%20situation%2C%20We%20do%20have%20P1%20licenses%20for%20users%20but%20when%20I%20verify%20our%20custom%20domain%20in%20Azure%20from%2C%20let's%20say%2C%20xyz.onmicrosoft.com%20to%20xyz.com%20so%20that%20users%20can%20login%20with%20their%20current%20email%20addresses%20this%20poses%20issue%20with%20Microsoft%20Teams%20stop%20treating%20%22xyz.com%22%20as%20external%20address%20and%20will%20not%20allow%20invite%20to%20be%20sent%20for%20the%20meeting.%20Is%20there%20a%20workaround%20for%20this%3F%20So%20that%20Office%20365%20do%20not%20treat%20xyz.com%20as%20internal%3F%20Any%20help%20will%20be%20greatly%20appreciated!!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1572373%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Self-Service%20Password%20Reset%20without%20having%20Exchange%20Online%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1572373%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F751838%22%20target%3D%22_blank%22%3E%40Johnv735%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%2C%20if%20you%20add%20your%20xyz.com%20domain%20into%20your%20M365%20tenant%2C%20which%20it%20seems%20you%20have%2C%20then%20this%20is%20going%20to%20be%20considered%20as%20an%20internal%20%2F%20accepted%20domain%20within%20your%20environment.%26nbsp%3B%20I%20am%20curious%20to%20understand%20why%20you%20would%20wish%20it%20to%20be%20considered%20external%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1573207%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Self-Service%20Password%20Reset%20without%20having%20Exchange%20Online%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1573207%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F616707%22%20target%3D%22_blank%22%3E%40PeterRising%3C%2FA%3E%2C%20Let%20me%20try%20explain%20without%20confusing%20you%2C%20Since%20we%20do%20not%20have%20Exchange%20Online%20and%20do%20not%20wish%20to%20involve%20our%20current%20on-prem%20Exchange%20to%20any%20of%20Office%20365%20services%2C%20we%20want%20our%20users%20to%20still%20use%20Microsoft%20Teams%20for%20video%20conferencing%20purposes.%20Only%20handful%20of%20employees%20are%20currently%20using%20the%20Teams%20app%20and%20would%20like%20other%20employees%20within%20the%20organization%20to%20be%20invited%20for%20meetings.%20Now%2C%20currently%20users%20using%20Teams%20app%20has%20%22xyz.onmicrosoft.com%22%20email%20and%20password%20setup%20by%20Office%20365%20but%20If%20I%20add%20my%20custom%20domain%20%22xyz.com%22%20for%20SSPR%20then%20it%20poses%20two%20issues%3B%20In%20order%20to%20send%20the%20invite%20out%20to%20internal%20employees%20Teams%20cannot%20see%20%22xyz.com%22%20as%20external%20to%20have%20the%20%22Invite%22%20option%20available.%20Teams%20searches%20for%20email%20addresses%20for%20let's%20say%20%3CA%20href%3D%22mailto%3Aaaa%40xyz.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Eaaa%40xyz.com%3C%2FA%3E%26nbsp%3Band%20%3CA%20href%3D%22mailto%3Abbb%40xyz.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ebbb%40xyz.com%3C%2FA%3E%26nbsp%3Bin%20it's%20own%20address%20book%20which%20is%20not%20there%20because%20Exchange%20online%20is%20not%20integrated.%20If%20I%20do%20sync%20%3CA%20href%3D%22mailto%3Aaaa%40xyz.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Eaaa%40xyz.com%3C%2FA%3E%26nbsp%3Band%20%3CA%20href%3D%22mailto%3Abbb%40xyz.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ebbb%40xyz.com%3C%2FA%3E%26nbsp%3Bfrom%20our%20on-prem%20AD%20then%20Teams%20is%20not%20able%20to%20send%20an%20email%20invite%20to%20those%20above%20users%20since%20they%20do%20not%20have%20emails%20setup%20with%20Exchange%20online.%26nbsp%3B%20If%20we%20do%20add%20an%20email%20for%20%3CA%20href%3D%22mailto%3Aabc%40xyz.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Eabc%40xyz.com%3C%2FA%3E%26nbsp%3Bin%20the%20Azure%20AD%20then%20it%20posses%20another%20issue%20with%20email%20structure%20because%20now%20we%20have%20two%20emails%20for%20the%20same%20user%20-%20%3CA%20href%3D%22mailto%3Aabc%40xyz.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Eabc%40xyz.com%3C%2FA%3E%26nbsp%3Bcreated%20by%20Exchange%20online%20and%20their%20own%20on-prem%20%3CA%20href%3D%22mailto%3Aabc%40xyz.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Eabc%40xyz.com%3C%2FA%3E%26nbsp%3Bwhich%20is%20more%20confusing%20on%20which%20one%20to%20use.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20might%20be%20clearly%20over%20complicating%20the%20way%20to%20implement%20this%20with%20but%20any%20idea%20or%20a%20workaround%20will%20be%20greatly%20appreciated!!%20Thank%20you!!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1573975%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Self-Service%20Password%20Reset%20without%20having%20Exchange%20Online%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1573975%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F751838%22%20target%3D%22_blank%22%3E%40Johnv735%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOK%2C%20I%20see%20where%20you%20are%20coming%20from.%26nbsp%3B%20My%20suggestion%20to%20you%20here%20would%20be%20to%20configure%20Hybrid%20Coexistence%20between%20you%20on-premises%20Exchange%20and%20Exchange%20Online.%26nbsp%3B%20This%20way%2C%20you%20can%20add%20your%20custom%20domain%20into%20O365%20and%20still%20use%20Teams%20with%20full%20functionality%20with%20your%20on-premises%20mailboxes.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheck%20this%20out%20for%20further%20guidance%20on%20the%20subject%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-teams-community-blog%2Fmicrosoft-teams-and-on-premises-mailboxes-you-need-exchange%2Fba-p%2F1521588%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-teams-community-blog%2Fmicrosoft-teams-and-on-premises-mailboxes-you-need-exchange%2Fba-p%2F1521588%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20take%20a%20look%20at%20this%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoftteams%2Fexchange-teams-interact%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoftteams%2Fexchange-teams-interact%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20version%20of%20on-premises%20Exchange%20are%20you%20running%20please%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi There,

 

We are trying to setup a self-service password reset for our users residing in on-premises AD but we do not have Exchange online. Is it even possible for us to setup SSPR with Azure AD Connect without involving Exchange at all?

6 Replies
best response confirmed by Juan Carlos González Martín (MVP)
Solution

@Johnv735 

 

Hi, Exchange is not relevant to SSPR. As long as you are syncing your on-premises AD to Azure AD with Azure AD Connect, and you have licences as per https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-licensing  then you should be good to go with this feature.  

Hi @Johnv735 

 

Yes, it is possible. If you want your on-prem users to be able to reset their passwords via the SSPR (i.e. Office 365 synchronises back to the on-prem AD ) then you will need an Azure P1 licence for that user.

 

The SSPR included in the Free version of Azure AD does not write-back to on-prem, it only changes the password in 365 - the next time AzureAD synchronises that password is changed back to the AD password.

 

It is my understanding that Exchange Online is not a pre-requisite for this . You may have seen this already, but this goes into a bit more detail about the functionality.

 

https://azure.microsoft.com/en-us/pricing/details/active-directory/

 

Hope this helps,

 

Mark

 

 

Thanks for the reply!@HidMov Here is the situation, We do have P1 licenses for users but when I verify our custom domain in Azure from, let's say, xyz.onmicrosoft.com to xyz.com so that users can login with their current email addresses this poses issue with Microsoft Teams stop treating "xyz.com" as external address and will not allow invite to be sent for the meeting. Is there a workaround for this? So that Office 365 do not treat xyz.com as internal? Any help will be greatly appreciated!!

 

@Johnv735 

 

Hi, if you add your xyz.com domain into your M365 tenant, which it seems you have, then this is going to be considered as an internal / accepted domain within your environment.  I am curious to understand why you would wish it to be considered external?

Hi @PeterRising, Let me try explain without confusing you, Since we do not have Exchange Online and do not wish to involve our current on-prem Exchange to any of Office 365 services, we want our users to still use Microsoft Teams for video conferencing purposes. Only handful of employees are currently using the Teams app and would like other employees within the organization to be invited for meetings. Now, currently users using Teams app has "xyz.onmicrosoft.com" email and password setup by Office 365 but If I add my custom domain "xyz.com" for SSPR then it poses two issues; In order to send the invite out to internal employees Teams cannot see "xyz.com" as external to have the "Invite" option available. Teams searches for email addresses for let's say aaa@xyz.com and bbb@xyz.com in it's own address book which is not there because Exchange online is not integrated. If I do sync aaa@xyz.com and bbb@xyz.com from our on-prem AD then Teams is not able to send an email invite to those above users since they do not have emails setup with Exchange online.  If we do add an email for abc@xyz.com in the Azure AD then it posses another issue with email structure because now we have two emails for the same user - abc@xyz.com created by Exchange online and their own on-prem abc@xyz.com which is more confusing on which one to use. 

 

I might be clearly over complicating the way to implement this with but any idea or a workaround will be greatly appreciated!! Thank you!!

@Johnv735 

 

OK, I see where you are coming from.  My suggestion to you here would be to configure Hybrid Coexistence between you on-premises Exchange and Exchange Online.  This way, you can add your custom domain into O365 and still use Teams with full functionality with your on-premises mailboxes.  

 

Check this out for further guidance on the subject - https://techcommunity.microsoft.com/t5/microsoft-teams-community-blog/microsoft-teams-and-on-premise...

 

Also, take a look at this - https://docs.microsoft.com/en-us/microsoftteams/exchange-teams-interact 

 

What version of on-premises Exchange are you running please?