pmarsh
New Friend (or an Old Friend who Built a New Account)
Registered:1451932773 Posts: 64
Posted 1497972963
Reply with quote
#1
I'm configuring SSPR for O365 and AD Connect. This will enable users to reset their passwords when out of the office (not on the domain). If a user changes the password while out of the domain they will have 2 passwords. The first will be the cached password when logging into the machine and the second will be authenticating to O365 via AD Connect. Once they are back on the domain the cached password will be updated to the new password and everything is happy happy. Is there a way now other than a VPN to update the cached password? I see user confusion coming down the pipe. Is there direction from MS that it's a feature they are working on or maybe it exists now and I don't know. TIA
wobble_wobble
Associate Troublemaker Apprentice
Registered:1451575798 Posts: 871
Posted 1497989138
Reply with quote
#2
Simple answer no.
More complex answer - not easily without a VPN.
You could look to deploy Direct Access, if the business is big enough/ you want to change the VPN Solution ( I say DA as there is less end user interaction therefore less end user issues)
But not 100% ideal.
__________________ Have you tried turning it off and walking away? The next person can fix it!New to the forum? Read this
lady_mcse
New Friend (or an Old Friend who Built a New Account)
Registered:1451939938 Posts: 94
Posted 1498101751
Reply with quote
#3
I sure would hate for you to hold me to this, but I work remotely 100% of the time, and I could swear that my last password change was way easier with O365 in place. We're using 2 factor auth, so I regularly have to accept a validation from a phone app, but I sort of think that once I was validated to the portal.office.com through a browser and my mobile app, all I had to do was lock & unlock my workstation for everything to synch up. Now I do also have VPN access, so it's possible my rusty brain is failing me here, but I'm pretty sure I was exploring the boundaries of laziness for the purposes of simulating what other end-users have to do (e.g. not doing VPN unless I absolutely had to).
Wes
Senior Member
Registered:1451679330 Posts: 230
Posted 1498538664
Reply with quote
#4
DA ftw
pmarsh
New Friend (or an Old Friend who Built a New Account)
Registered:1451932773 Posts: 64
Posted 1498762032
Reply with quote
#5
Thank you folks for the input, much appreciated. Per MS support there is a thing called Azure Active Directory Join that is supposed to address this problem https://docs.microsoft.com/en-us/azure/active-directory/active-directory-azureadjoin-overview Documentation as always these days is all over the place and gives you a million different options for a million different scenarios. Following the threads in each doc I land on the following steps.https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup HOLY CRAP I've been doing working with MS environments since NT this is the most complicated and confusing thing I think I've ran into over the years......... as the kids would say FML
wobble_wobble
Associate Troublemaker Apprentice
Registered:1451575798 Posts: 871
Posted 1498946187
Reply with quote
#6
Anne - You have a VPN in place... Paul - I have a particular hatred for Azure AD Joined for machines that could be domain joined. You'll need InTune, won't be able to use GPO and for giggles get issues with OneDrive (more issues that a Domain Joined machine)
__________________ Have you tried turning it off and walking away? The next person can fix it!New to the forum? Read this
donoli
Senior Member
Registered:1454887308 Posts: 580
Posted 1499181439
Reply with quote
#7
Pmarsh, not to hijack the thread but is the password change that you mentioned a GPO forced password change after a certain time frame? I know that some companies insist on a regular password change but I wonder if it's really a good policy or not. It forces users to "grasp at straws" to comply. That can make the new password weaker than the previous password.
pmarsh
New Friend (or an Old Friend who Built a New Account)
Registered:1451932773 Posts: 64
Posted 1499274443
Reply with quote
#8
Wobble: Go on about the hatred for Azure AD Join, please share your experiences. Donoli: Yes GPO policies are in place, change every X, remember last X, Min length and required complexity.
lady_mcse
New Friend (or an Old Friend who Built a New Account)
Registered:1451939938 Posts: 94
Posted 1499370775
Reply with quote
#9
Quote:
Originally Posted by pmarsh HOLY CRAP I've been doing working with MS environments since NT this is the most complicated and confusing thing I think I've ran into over the years......... as the kids would say FML
I am soooo glad to hear someone else say that ... I'm starting to feel like the coworkers I scoffed at 20 years ago and they were talking about the glory days of mainframes. What goes around comes around I guess. Dinosaurette signing off ...
wobble_wobble
Associate Troublemaker Apprentice
Registered:1451575798 Posts: 871
Posted 1500583195
· Edited
Reply with quote
#10
Quote:
Originally Posted by pmarsh Wobble: Go on about the hatred for Azure AD Join, please share your experiences.
My experience comes from supporting others as I don't use onedrive except as a web experience. 1. Azure AD Joined Surface Pro & Surface Books + Onedrive (both versions, Business + home), syncing & resyncing and filling up disks. 2. Azure AD Joined Surface Pro & Surface Books confusing the end user with home + business OneDrive, 3. Devices not being internet connected for several months, causing issue 1. 4. Not being able to manage the device with AD tools...So you need two skill sets for patching, AV reporting, usage reporting, inventory reporting. Bit of a rant now... My general opinion of "business machines" is that I support the backup of the business data by putting it "on my servers" and I'll spend 30 minutes troubleshooting an end device issue, then wipe + re-install. The more easily deployed "and sold by marketing" option of Azure AD Joined machines means that we now have 2 explanations for people who don't want to listen to us IT people about recovering data, which gets merged into 1 opinion by the end user, which means we look like the bad guys, because we didn't buy intune/ backup of end-point devices, more training because we spent the budget on the Surface Book Pros... And yes IT is getting harder....the rate of change in what we sell/ support means that your cookie cutter solution needs to change almost weekly. New solutions are being deployed almost weekly from SaaS solutions that were baked into client/ server/ MVC solutions. But as they are drip released, you never get the project finished. And lets not forget the renaming of a solution/ SaaS..... seriously, we need a stupid stick to hit these people who rename a service every 6 months. Telling me about the change on social media is not a solution, as I'm too busy doing my job and living my life with my kids to spend 3 hours a day reading repeated slightly changed marketing. Bring back Technet Magazine I say and limit it to 20 pages a month! I'm now going to go have a drink!
__________________ Have you tried turning it off and walking away? The next person can fix it!New to the forum? Read this