Azure PW is a game-changer for businesses looking to create seamless user experiences. With Azure PW, you can easily integrate authentication and authorization into your applications, eliminating the need for multiple login credentials.
This means users can access all their applications with a single set of credentials, streamlining the login process and reducing friction. Azure PW also provides a robust security framework to protect user data.
By leveraging Azure PW's scalable and secure architecture, businesses can focus on delivering high-quality user experiences rather than worrying about the underlying infrastructure. This results in increased customer satisfaction and loyalty.
Prerequisites
Before we dive into resetting the admin password on your Azure VM, make sure you have the Azure PowerShell module installed, which can be done by running the command Install-Module -Name Az.
You'll also need to ensure the VM agent is installed, which should already be the case if your VM was built via an image from the gallery.
Authentication
Azure PW offers a range of authentication options, including passwordless authentication for Azure AD identities.
You can use certified FIDO2 devices for passwordless authentication across all services and applications connected to Azure AD as an Identity Provider (IdP). FIDO2 is backward compatible with U2F, but Microsoft doesn't offer the option to use U2F as a pure MFA device in Azure.
To enable passwordless authentication, you need to enable one or more pilot groups. You can enable FIDO2 for a single user or a group of users, even if the group is synchronized from your on-premises Active Directory.
Here's a step-by-step guide to enabling FIDO2 for a single user:
- Sign in to the Azure AD admin center.
- Browse to Azure Active Directory > Security > Authentication methods > Authentication method policy.
- Under the method FIDO2 Security Key, choose the following opt
Enable – Yes or No
Target – All users or Select usersSave the configuration.
Once your users are enabled, they can set up their FIDO2 device by accessing the URL https://myprofile.microsoft.com. This is where they'll register their FIDO2 device, which is a simple process similar to configuring MFA.
If the FIDO2 device has additional biometric security, such as a fingerprint, this is also configured during setup. If the device doesn't have a biometric feature, a human presence is checked and verified with a simple gesture on the FIDO2 device.
Here are the steps to set up a FIDO2 device:
- Browse to https://myprofile.microsoft.com.
- Click Security Info.
- Add a FIDO2 Security key by clicking Add method and choosing Security key.
- Choose USB device or NFC device.
- Have your key ready and choose Next.
- A box appears to ask the user to create/enter a PIN for your security key, then perform the required gesture for the key, either biometric or touch.
- The user is returned to the combined registration experience and asked to provide a meaningful name for the key so the user can identify which one if they have multiple. Click Next.
- Click Done to complete the process.
You can also use Microsoft Graph to manage users' authentication methods.
Policy Management
To manage policies in Azure AD B2C, you need to sign in to the Azure portal. This is the first step in uploading and testing a policy.
There are two ways to upload a policy: through the Identity Experience Framework or by uploading a custom policy. To upload a policy through the Identity Experience Framework, you need to select Custom Policies and then Upload Policy. To upload a custom policy, you need to select Upload custom policy in the Policies menu.
You can also create a password reset policy by using a custom policy. Custom policies are a set of XML files that you upload to your Azure AD B2C tenant to define user journeys. To create a custom policy, you can use the starter packs provided by Azure AD B2C, which include pre-built policies for sign up and sign in, password reset, and profile editing.
To handle the error code AADB2C90118, which is returned when the self-service password reset experience isn't enabled, your application must reinitialize the authentication library to authenticate an Azure AD B2C password reset user flow. This involves initiating a new authorization request that specifies the password reset policy name.
Upload Custom Policy
To upload a custom policy to your Azure AD B2C tenant, you'll need to sign in to the Azure portal. You can access the portal by going to the Azure website and signing in with your credentials.
If you have access to multiple tenants, select the Settings icon in the top menu to switch to your Azure AD B2C tenant from the Directories + subscriptions menu. This will ensure you're working with the correct tenant.
To upload the policy, navigate to the Azure AD B2C section in the portal and select Identity Experience Framework. From there, select Custom Policies and then Upload Policy.
You'll need to upload two files: the TrustFrameworkExtensionsCustomForcePasswordReset.xml file and the relying party file with the same name. To do this, select the Upload button and repeat the process for each file.
Here's a step-by-step guide to uploading the policy files:
- Sign in to the Azure portal.
- Switch to your Azure AD B2C tenant from the Directories + subscriptions menu.
- Navigate to Azure AD B2C and select Identity Experience Framework.
- Select Custom Policies and then Upload Policy.
- Upload the TrustFrameworkExtensionsCustomForcePasswordReset.xml file.
- Upload the relying party file with the same name.
Legacy Policy
If the self-service password reset experience isn't enabled, selecting the password reset link doesn't automatically trigger a password reset user flow. Instead, the error code AADB2C90118 is returned to your application.
Your application must handle this error code by reinitializing the authentication library to authenticate an Azure AD B2C password reset user flow. This involves a few steps to get the user back on track.
The user selects the Sign in link, and the app initiates an authorization request, redirecting to Azure AD B2C to finish signing in. The authorization request specifies a sign-up or sign-in policy name, such as B2C_1_signup_signin.
The user then selects the Forgot your password? link, and Azure AD B2C returns the AADB2C90118 error code to the application. This is where things get a bit tricky.
To handle this error code, your application needs to initiate a new authorization request, specifying the password reset policy name, such as B2C_1_pwd_reset. This will get the user back on the path to resetting their password.
User Journey
To create a user journey in Azure AD B2C, you'll need to declare a Boolean claim, specifically the "isForgotPassword" claim. This claim is used to indicate that a user has selected the "Forgot your password?" link.
To prepare your user journey, you'll need to reference the Forgot Password sub journey ID in the ClaimsProviderSelection element of the CombinedSignInAndSignUp step. If you don't have a custom user journey, you can duplicate an existing sign-up or sign-in user journey by copying the entire contents of the UserJourney element and renaming the ID.
Here are the steps to duplicate an existing user journey:
By following these steps, you'll have a custom user journey that you can use to connect the Forgot your password? link to the Forgot Password sub journey.
Force Login
Forcing a login can be a useful tool for administrators to ensure user security. You can force a user to reset their password on next login by updating their account password profile using MS Graph Update user operation.
To do this, you need to assign your Microsoft Graph application the User administrator role, which can be achieved by following the steps in Grant user administrator role. This will give you the necessary permissions to update the user's password profile.
Updating the password profile to force the user to reset their password on next login involves setting the forceChangePasswordNextSignIn attribute to true. This can be done using MS Graph, and once completed, you must also configure the force password reset flow.
Forcing a user to reset their password after 90 days is another way to ensure their login security. This can be achieved by setting the user's password expiration to 90 days using MS Graph, which will automatically set the forceChangePasswordNextSignIn attribute to true.
Removing the DisablePasswordExpiration value from the user's profile Password policy attribute will also force a password reset after 90 days, by setting the password policy to None.
Set User Journey
To set your user journey, you'll need to update the Relying Party section in your custom policy. This involves specifying the user journey that Azure AD B2C will execute. First, open the file that contains the Relying Party element, such as SocialAndLocalAccounts/SignUpOrSignin.xml.
In the RelyingParty element, find the DefaultUserJourney element, which is where you'll update the ReferenceId to match the ID of the user journey you've created or modified. This ensures that the correct user journey is executed for your custom policy.
Here's a step-by-step guide to update the DefaultUserJourney ReferenceId:
1. Open the file with the Relying Party element.
2. Find the DefaultUserJourney element.
3. Update the ReferenceId to match the ID of the user journey you've created or modified.
By following these steps, you'll ensure that your custom policy executes the correct user journey, providing a seamless experience for your users.
Add Sub Journey
To add a sub journey to your user journey, you need to open the extensions file of your policy, such as SocialAndLocalAccounts/TrustFrameworkExtensions.xml.
You'll find the SubJourneys element, and if it doesn't exist, you can add it after the User Journeys element.
To add a sub journey, you'll need to add the following sub journey to the SubJourneys element:
- Call the sub journey using the Call type sub journey, so that when the sub journey is finished, control is returned to the orchestration step that initiated the sub journey.
Here's a step-by-step guide to adding a sub journey:
- Open the extensions file of your policy, such as SocialAndLocalAccounts/TrustFrameworkExtensions.xml.
- Find the SubJourneys element.
- Add the following sub journey to the SubJourneys element:
By following these steps, you can add a sub journey to your user journey and handle specific steps that deliver a seamless experience to the user.
Notify Users
Notify users on password resets and let them know that their password has been changed.
Users receive an email notifying them that their password has been changed, sent to their primary and alternate email addresses stored in Microsoft Entra ID.
If no primary or alternate email address is defined, SSPR will attempt to send the email notification via the user's User Principal Name (UPN).
Email notifications from the SSPR service are sent from specific addresses based on the Azure cloud you're working with.
App Flow
Your Azure PW app needs to handle various user flows, and one of them is the Forgot Password flow. This flow is indicated by the isForgotPassword claim, which is a Boolean value in the token sent to your app.
To detect if the user signed in using the Forgot Password flow, your app can simply check the isForgotPassword claim. This claim can be issued in the token and added to the output claims in the Relying Party section if necessary.
If the user did reset their password, your app can determine this by checking the isForgotPassword claim.
User Management
User Management is crucial for any Azure PaaS application.
You can manage users through the Azure portal, where you can add, remove, and update user roles and permissions.
Azure Active Directory (AAD) is the default identity provider for Azure PaaS, and it's used to authenticate and authorize users.
User roles in Azure PaaS are based on the Azure RBAC (Role-Based Access Control) model, which defines permissions and access levels for different roles.
Each user can have one or more roles assigned, and the permissions are cumulative, meaning that users in multiple roles will have all the permissions from each role.
Azure PaaS also supports custom roles, which allow you to define specific permissions for your application.
Custom roles are useful for applications that require unique permissions or access levels that aren't covered by the built-in roles.
To manage users and roles in Azure PaaS, you'll need to use the Azure portal or the Azure CLI.
Frequently Asked Questions
How does Azure password writeback work?
Azure password writeback synchronizes password changes made in Azure AD or Microsoft 365 with on-premises AD accounts, allowing users to reset or change their passwords remotely. This seamless integration enables secure and convenient password management.
What is Azure password protection?
Azure password protection is a feature that filters out weak and commonly used passwords to prevent hacking attempts. It rejects easily guessable passwords, such as "Password123" and "123456", to keep your organization's accounts secure.
Sources
- https://practical365.com/achieving-passwordless-authentication-in-azure-ad/
- https://www.whatsupgold.com/blog/how-to-reset-an-azure-vm-password-the-easy-way
- https://learn.microsoft.com/en-us/azure/active-directory-b2c/force-password-reset
- https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-password-reset-policy
- https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-howitworks
Featured Images: pexels.com