 Hey everybody, we are live. This is Protected Trust live and joining me today for I think the third or fourth time Something they just go by so quick. It's great is Steve Cornell the service desk manager here at Protected Trust and today We're discussing one of my favorite topics. I Don't know if it's your favorite, but self-service password reset It's a mouthful, but all it means is that the user is able to reset their own password This hasn't been a feature in previous versions of exchange Right, and you know speaking on behalf of the service desk. I don't know how many password reset email the ratio is to I mean other tickets industry standard For most help desks around most companies is like 20% 20% of all the tickets that you get is password reset related And you know it definitely helps out a lot in our case with having Giving the option for users to reset their own passwords that way, you know, I mean there are a lot of companies out there who have You know outsourced IT where they have to sit on hold for a while and wait for somebody to get on the phone Or they have to you know reach out to somebody else and wait whereas now You know they have the ability to just reset it for themselves within you know less than a minute Comes in handy. So well what I thought we would do today is you know go over the benefits You know aside from the fact that it frees up your help desk from right You know that 20% of tickets that are going in But also give a quick demonstration of how it works in case people I mean I'm sure people have reset their passwords on other accounts before right, but just to show you know the different Different ways that they can Authenticate themselves to reset their password because that's really the biggest concern that we've had when we've been doing host exchange was How do you get someone to say who they are? How do you verify that the person that you're speaking with on the phone or dealing with your email is exactly who? Needs to be the person to request it because I mean you know nowadays Especially in the last live stream that you did with you know a lot of the breaches and the hacks that are going on right now I mean fishing attempts are huge and you know social engineering things like that I mean, you know if you have a really laxed help desk that doesn't really go through a lot of verification In order to change things like this you have people that can just call and say hey I'm so-and-so the CEO of the company and you reset my password and if Your company doesn't have something in place that can safeguard against things like that and you have a really big problem Right, and so that would lead to a lot of angry yes end users But the admins would thank us because we're just following it, you know not only their procedure, but you know standard practice Because any anyone can call and start yelling at you and saying I need access to my account right now I need you to reset my password blah blah blah so not only would we have the admin have to write in right then We would go through all the checks to make sure that it wasn't being spoofed right look at the message Hatter see where it originated from that that is a big rule at least for my guys out there And it's been you know ever since I've been here is that you've never do those types of account changes over the phone I mean there's no way to to verify who it is So in order to avoid any sort of issues with any of our clients We always make it a standard that you know Unfortunately, sometimes people get upset you know that we have to do that but when we explain you know if You know we basically use the phrase you know if you're if you imagine that somebody called in and Wasn't you and we gave them access to your account That would be a lot worse than having to deal with you know waiting a little bit for a password reset But now they don't even have to do that You know they can just reset it themselves with their own verification information So right it takes it takes away the error of being human So I say you let have a lapse in judgment and you feel sorry for the person on the other end of the phone You're like okay. I'll reset your password just this once It all it takes is that one time right account to be compromised. So it takes it away from You know your help desk and it gives it to the computer to analyze right to you know Authenticate right and you know a lot of the you know other than reducing costs for for IT admins You know people that are actually supporting the end users You know it also It drives mobility. I mean it allows people to be able to reset their own passwords when they're away from the office You know you know big places that have in-house IT would normally have to pick up the phone and call their help desk and ask them to Do a password reset, but if they're away from the office now They got a call in you know they're you know using their cell phone to try to call Maybe they're on hold but you know in this case you you can quite literally anywhere with an internet connection reset your own password So exactly So right what I think we'll do right now is just show How it's configured very quickly in the admin center, so this isn't something the end user does this is something that we would do as the Cloud service provider or your own local admins can do this if they have access to the Azure panel So right now we're in Azure and we got there by going to the normal portal dot office comm and clicking on Azure And then we're going to scroll all the way down to password reset and Right now we see that it is not enabled for anything We do have a choice to put it in different groups too, so it's not something that has to be company-wide Right, so if you have like a set of users who refuse to want to adopt this policy Even though everyone should be adopting it that is an option to do But right now I'm just going to set it to all for this test company here and save it And while you're doing that I will say for for everyone watching that you know At protected trust when we on board anybody in the 365 We enable this feature by default and what he's doing right now isn't enforcing it for any users So when you do turn this on What will happen is when somebody goes to log into the portal they're going to see a Request for a couple verification options One of which is an alternative email address So like a non-work related email address that you could use to receive an email to reset your own password or a Phone number so a mobile device can call or text you a code a landline If you have users that don't feel comfortable using you know Their personal cell phones for work. We do come across that right a little bit So and that's on the the very next screen here is those four options that you're able to choose from so right alternative email which we advise against actually because of Kind of what we discussed on the last stream was that once someone's in they can set up forwarding rules And so that just renders the Email method useless because now it forwards that request to a different mailbox And then they're able to type in whatever code it is Yeah, not to mention if in most cases like what you guys discussed before if if you have an account That's compromised the likelihood that somebody used that password on another account somewhere else is really high I mean in most cases somebody tries to use the same password for all their services But if one gets hacked then you know everything else is potentially compromised as well Especially in or in this case the alternative email address, right? So right mobile phone, which is the one that we've been pushing right you know You download the app and it will send you is that the same thing or as will it call you well No, what this will do is it will actually either you call you with a number with a code or it'll text you a code The Azure authenticator app is what we use for MFA for multi-factor authentication. Okay, that's good to know And then right so we had a question in one of our other YouTube streams, which was MFA can I do alternative email address and we had to break the news? No, you know You can do it for self-service password reset, which we're kind of advising against right now, but So MFA no alternative email address, but with self-service password reset you can do it and you just went over our office phone and Security question, which is what I'm gonna do because it's the easiest one because I don't want to give up So I went ahead already and saved that so what we'll do now is Sign in to one of our test accounts Yeah, the screen up. I have a screen out for two all right, so This would be the page that even if your passwords give you your passwords even if your users sign in all the time To the portal instead of going into Outlook to check their email They will receive this prompt once they go to portal correct and that's that should only happen one time, right? Yeah So encourage your users to just go through the process. It takes only a few seconds So from the previous page, I chose office phone. I believe and also security questions And I put I only the parameter I only need to have one of these complete and like you saw on the other screen is you you can Force your users to have all of the options If that's if that's what you want you want them to have the most amount You know of I guess a successful password reset chances that you can give them So if you limit them to only one, you know, and it's a security question They happen to forget the security question then you're taking another phone call, you know Because they can't reset their password now. So if you you know, it's it's recommended that you at least give them two options and You know recommend not recommend but make it mandatory that you fill out both of those options that way if one fails The other one's fine if their phone is dead and they can't get a text message Then the alternative email address one would have you know be the one that you fall back on because you know Chances are you're on the internet you're trying to reset your password. Yeah, really good point really good point So I chose three security questions, which was the minimum by the way You can go all the way up to five if you want. Wow, so what is I just chose easy ones So you probably want to stick with harder ones spaghetti and Then what is my first pets name spaghetti? Oh, that's interesting and What is your childhood nickname spaghetti also spaghetti? Wow So I'm gonna save those all to your mansors are identical. Oh, look at that. How about That's actually a great security feature. Yeah. Yeah, I did not know that you couldn't give the same answer But that's yeah interesting, right? So it's actually a good practice, which is something that we learned from one of our One of our fishing videos was if you are filling out security questions It's actually really good practice to have a different answer than what the question is asking Oh, wow. So for what is your favorite food, you know, you type in like what's your hometown, you know You reverse them so that if someone happens to know you You know really well like I know you right I could just go into your account and answer your security questions So we'll say that was my how about fluffy. That's a good first dog's name and I can't name myself fluffy how about Steady All right, so remember I only chose the Having to have one of these, right? So it's not going to force you to fill out the other one, right? So I'll just click finish and I don't want to save that to my web browser. That's poor and then ask you to sign it Looks good Don't say And I'm in my account like everything's normal. Okay, so right What does it actually look like to reset your password? Well very familiar to the screen that we just filled out It's gonna give me those Same questions again, so click forgot password And I'll have to fill out the captcha Which I think it does for most things make sure they're the first standard test But make sure that you're not a computer or a bot. So right there. There's those questions again And that's all it is I Personally don't like the the question one since it is easy for someone who knows you to do it But I like mobile phone because I always have my phone on me Most people do I mean mobile phones are are always the go-to for that I mean, that's the reason why we push these your authenticator app You know for MFA when we configure that for our tenants for our clients is you know having that second layer You know some people don't really like it because it's an additional thing that they have to do So having to type in something every time you log into you know Oh, or you go to add your mailbox to outlook or something along those lines having to do an additional Step is is always inconvenient, but that's that's kind of the double-edged short to additional security Right, I mean take having that sacrifice to do that every so often is worth You know not losing your identity or having somebody break in you know to any of your accounts So, you know the mobile device makes it really easy You know for the MFA because you can just push an approved button And then on this side, it's really easy because it just text you a code you type in I think it's either a four or six digit code and you're you're you're back right into your work Or a phone call sure if you wanted to absolutely At least that's the only option for Your office phone, right because they can't receive text messages. We're not there yet Technology wise. No, we're not okay. We're not there yet Well anything else for self-service password reset. Well, I mean, you know, we were discussing You know discussing the benefits of it and you know on the IT side You know, we discussed being able to reduce phone calls and cut down on things and you know on an IT perspective You know the less tickets that you get the more money that you save as a company, right? So you have to hire less people right? So that's that's that's always a plus You know, I mean on the the self-service password side for the users You know, basically, there's a there's a few options here You know on what to do and you know that if the user knows their password But they want to change it to something new then they can just log in and change it You know, they have the ability to do that. Well with self-service password turned off They wouldn't have the ability to do that. So that's another thing for people to know is if that option that you showed Is not turned on and you successfully log in to your account and you know, go to your passwords and go to change it It'll tell you that your administrator is not allowing you to do that So even if you weren't locked out or forgot about your password You still wouldn't be able to change your own password without that turned on So even if you don't want to enforce any of those options And you just want to give people the ability to change their passwords when they can already get in it as you know I mean, some people have you know Been using accounts like this at work for you know for years and they have their own regimen on when they want to change their passwords So whether they do it every 90 days or you know a couple times a year They want to be able to go in there and change it without having to bug anybody So, you know turning that on also allows them to do that And then you know, it can send the text message. You can make the phone calls I guess an email address is you know, and it can even unlock It can even you can even use that to unlock your account if if there is a lockout policy So that that's something that we didn't really touch on and you know There there are options within Azure when you enable self-service password to do a password policy You can you can go above Microsoft's complexity, which is already pretty complex. Yeah You can you know, you can set certain standards. You can set lockout policies You know every three failures five failures seven failures, you know, whatever you want to do And you can also I believe set a lockout time So if somebody gets locked out They have to wait 30 minutes or or so and then they can attempt to do it again And there's a there's a lot of options in there though But you know, IT admins definitely would be able to mimic Whatever lockout policies they have now with whatever on-prem You know AD that they have whatever they're using when they move to 365, you know We can definitely mimic any of those policies in 365. It's all built in very cool. Yeah. Well, you did it again, Steve That's what I'm here for So if you have any questions about self-service password reset, I Know like like you said, it's something that we do by default So most of our users have probably already gone through this and absolutely they did it so quickly They don't even realize that yeah, they have it. Yeah So yeah, take the time if you're not a client of ours set it up for your organization And have your users spend the what 15 seconds that it takes to write to set it up It's a good time save for your support desk and it adds a whole bunch of security to your Company, absolutely. So for Steve, I'm Steve if you like our Content, please click the like button or the subscribe button and also thank you to our clients who make these live streams possible Thanks, everyone