Microsoft Entra ID

Reset your forgotten Microsoft Entra password using Fortified ID Password Reset.

Overview

This use case describes how to configure password reset for accounts managed in Microsoft Entra. It covers self-service password reset scenarios. We also talk about delegated password reset scenarios, where an authorized administrator can reset another user’s password. A typical example is a teacher resetting a forgotten password for a student.

Prerequisites

Fortified ID Password Reset is installed and configured as a SAML Service Provider (SP) against an SAML Identity Provider (IdP), for example Fortified ID Access.
Configuration of the SAML IdP is outside the scope of this use case and is therefore not covered.

This use case provides an example configuration for resetting an Microsoft Entra password after successful user authentication. The pre-configured SAML IdP must support an authentication method that does not rely on an Microsoft Entra password, such as Swedish BankID, Freja, or username combined with a one-time password (OTP).

Configuration

Overview of the steps in this use case

Create a *.p12-file to use for login to Entra
1. Extract a *.cer-file from the *.p12-file
Configure your Entra tenant to support Password Reset
1. Register Password reset as an Entra app
  1. During registration the * -cer will be added
2. Add permission to reset password
Configure Fortified ID Password Reset
1. Add *.p12-file to Password Reset
2. Add the Entra module
3. Update the Password Self Reset pipe
Test to reset a Entra account password Note. In this test we will use a hardcoded account in the Pipe.

Create a *.p12-file using a tool of your choice. This file includes the certificate and private key. This will be added to Password Reset later in this use case.
Extract a *.cer-file from the *.p12-file. This include the public part of the certificate, this will be added to the app created for Password Reset in Entra later in this use case.

2. Configure your Entra tenant to support Password Reset

Login to Microsoft Entra admin center Note, in this use case we are using a Entra Workforce tenant. This is also supported for Entra External tenant type.
Click Entra ID section and click App registration
1. Click New registration
  1. Enter a name of the app registration, Fortified ID Password reset
  2. Select Accounts in this organizational directory only (<tenant_name> only - Single tenant)
  3. Click Register
2. Your are now in edit mode for your newly created app, Fortified ID Password reset. If not, click your newly created app
  1. Select API permissions
  2. Click + Add a permission -> Microsoft Graph -> Application permission -> User.Read.All
  3. Click + Add a permission -> Microsoft Graph -> Application permission -> UserAuthenticationMethod.ReadWrite.All
3. Click Grant admin consent for your_tenant
4. In the Overview section, copy these values (they will be used in later steps):
  - Application (client) ID
  - Object ID
  - Directory (tenant) ID
5. Add *.cer to to the Entra app (this file contains the public key to verify when Password Reset accessing Entra to reset a password).
6. Select Certificates & secrets
7. Select Certificates (0)
8. Click Upload certificate
  1. Select the certificate file
  2. Click Add
Click expand Entra ID section and click Roles and admins
1. In All roles locate and click User administrator
2. Click + Add assignment
  1. Search for your newly created app, Fortified ID Password Reset
  2. Select and click Add
That is the end of configuring Microsoft Entra

3. Configure Fortified ID Password Reset

3.1 Add *.p12-file to Password Reset

Login to Management Center for Password Reset
Click Configuration tab
Expand Misc settings and click Resources
Click + to add your *.p12-file

3.2 Add the Entra module

Login to Management Center for Password Reset
Click Configuration tab
Expand Modules and click + to add new module

Click add Entra

Click JSON button for the LDAPClient module
Copy data below and overwrite all existing data

Add client_id, tenant_id and keystore (path, password and alias) data for your environment

{
  "id": "entraid_1",
  "name": "EntraID",
  "description": "Module for Entra ID communication.",
  "config": {
    "namespace": "my_entra_tenant",
    "http_client_name": "default",
    "client_id": "xxxx-cb9c-4dbf-yyy-ssssss",
    "tenant_id": "dddd-eeee-eeee-fff-e3f55f4afbd4",
    "keystore": {
      "path": "${system.customer_home}/resources/added_p12_in_previous_step",
      "password": "p12_password",
      "type": "PKCS12"
    },
    "keystore_alias": "1",
    "keystore_password": "p12_password"
  },
  "display_name": "My Entra tenant"
}

Click Update and Deploy

3.3 Update the Password Self Reset pipe

Login to Management Center for Password Reset
Click Configuration tab
Expand Password Reset
Expand Pipes
Click self_reset
Click JSON for JSON Edit

Copy data below and overwrite all existing data

{  
  "id": "self_reset",
  "display_name": "self_reset",
  "description": "Self Reset",
  "config": {
    "valves": [
      {
        "name": "DumpRequest",
        "config": {
          "label": "**********   DumpRequest for Self Reset   **********"
        }
      },
      {
        "name": "DumpSession",
        "config": {
          "label": "**********   DumpSession for Self Reset   **********"
        }
      },
      {
        "name": "EntraIDResetPassword",
        "config": {
          "namespace": "my_entra_tenant",
          "ignore_error": true,
          "user_id": "{{{request.user_name}}}",
          "new_password": "{{{request.new_password}}}",
          "force_change_password_next_signin": false
        }
      },
      {
        "name": "FlowFail",
        "exec_if_expr": "(state.items && state.items.length > 0 && state.items[0].message === 'The specified password does not comply with password complexity requirements. Please provide a different password.')",
        "config": {
          "message": "PWDRESET_ERROR_PASSWORD_RESTRICTION"
        }
      },
      {
        "name": "FlowFail",
        "exec_if_expr": "state.items && state.items.length > 0",
        "config": {
          "message": "Failed to reset password!"
        }
      },
      {
        "name": "DumpState",
        "config": {
          "label": "**********   DumpState after LDAPSearch   **********"
        }
      }
    ]
  }
}

Click Update and Deploy

4. Test to reset a Entra account password

To test with static use data you can update the pipe above with the Entra userid (e.g. your_user@your_tenant_name.onmicrosoft.com)

On line 24, update like the example below.

"user_id": "your_user@your_tenant_name.onmicrosoft.com",

Browse to https://127.0.0.1/pwdreset/
Password Reset will redirect you to your SAML IdP
1. This use case expect that you have some authentication method that is not using the password you are trying to reset. Configuration of the SAML IdP is not explaind here. But for testing purposes, if your using Fortified ID Access is to prep a StaticSAML credential validator with an Entra account data you like to reset.
When logged in to Fortified ID Password Reset add a new password and click Reset
If the password did not reset
1. Verify the server.log file. The pipe configuration for this use case dumps a lot of data that can be of interest.
2. The user_name (see EntraIDResetPassword valve configuration) is the id that will be used to reset the password. Verify its value in log-file and match it to the userid in Entra.

PreviousMicrosoft Active Directory NextGoogle Workspace

Last updated 9 days ago

hashtagOverview

hashtagPrerequisites

hashtagConfiguration

hashtagOverview of the steps in this use case

hashtag1. Create a *.p12-file to use for login to Entra

hashtag2. Configure your Entra tenant to support Password Reset

hashtag3. Configure Fortified ID Password Reset

hashtag3.1 Add *.p12-file to Password Reset

hashtag3.2 Add the Entra module

hashtag3.3 Update the Password Self Reset pipe

hashtag4. Test to reset a Entra account password

hashtagLogin to Fortified ID Password Reset