I'm trying to understand Self-Service Password Reset (SSPR) in my hybrid setup. We have a cloud-only mailbox system, no local Exchange, and on-prem Active Directory (AD) that we sync using Azure AD Connect. Currently, when users change their password, they have to connect to our VPN if they're remote or just change it directly in the office. We're considering moving away from traditional VPNs towards a solution like Zscaler. My main concern is that if I enable SSPR, users will be stuck with two passwords because their laptops cache old credentials if they haven't synced with the local AD after changing the password. Given that 25% of our workforce rarely uses a VPN, how can we ensure they don't end up juggling two passwords?
1 Answer
Basically, your hybrid setup means that the local AD is still the master when it comes to password changes. If those devices can’t communicate with the AD, they won't get updated and will still rely on cached credentials. So yes, those users either need to connect via VPN or come to the office to sync up. You might want to look into reimaging everyone to be Entra/Intune only, but that can be a big job!
I like how you think! Maybe a staggered approach could work?