Learn
Documentation
Support
Community

Usage guide: Proactive password reset - Microsoft Teams

This page outlines various ways to use the pack, including use case examples. Administrators can refer to the Configuration guide to set up and customize the installed content.

The Workflow: Proactive password reset - Microsoft Teams library pack enables EUC teams to:

  • Reduce the risk of unauthorized access to company systems and sensitive information through prompt password changes.

  • Enhance the overall employee experience and alleviate frustration by proactively reminding employees about password expiration and providing support across multiple communication channels.

Library pack uses

Jump to Use cases on this page to see relevant scenario applications.

Use the library pack content for the following purposes.

Visibility

This library pack focuses on the Proactive password reset workflow. This workflow is designed to help automate the sending of password expiration reminders to employees through multi-level checks and reminders via Microsoft Teams messages. With support for both on-premises Active Directory domains and Entra ID environments, the workflow provides a universal way to help reduce the disruption caused by expiring passwords and the IT support workload associated with this issue.

Workflow triggering

This workflow is designed to run on all Windows devices, including devices connected to an on-premises Active Directory or Entra ID.

Schedule trigger recommendation

We recommend that you create a workflow schedule that runs once a day.

The example below shows what a query looks like when selecting Windows devices.

NQL:

devices
| where operating_system.platform == windows and device.license_type != server
| list name, operating_system.name, operating_system.build, last_seen

Predefined workflow structure and steps

The Proactive password reset - Microsoft Teams workflow is structured in these main steps:

  1. The workflow confirms that the employee's account is part of Microsoft Active Directory (AD) or Microsoft Entra ID.

  2. Depending on whether the account is linked to AD or Entra ID, the workflow checks the number of days before the password expires and whether or not the reminder threshold has been reached.

    1. The following workflow parameters need to be defined:

      1. Password expiration policy in days, which defines the number of days after the last password change before the password expires. This number should be taken from the organisation's password management policy.

      2. Reminder threshold, which defines the number of days before the password expires that employees must be notified of the password expiration and asked to change their password.

  3. The workflow sends a Microsoft Teams message through the Message thinklet, notifying employees of their password expiration and prompting them to change their password.

Workflow confirms that the employee's account is part of Microsoft Active Directory (AD) or Microsoft Entra ID

The first block of conditions, one on top of the other, is necessary to ensure coverage of both on-premises and hybrid environments (on-premises AD and Entra ID hybrid). It determines whether the device is joined to the local Active Directory or is a member of Entra ID. These conditions evaluate the Membership Type property and the presence of a device distinguished name. If the membership type is domain and the distinguished name is present, the device is considered a local AD member, otherwise, it is considered an Entra ID member.

Workflow checks the number of days before password expiry and whether the reminder threshold is reached

Depending on whether the account is linked to AD or Entra ID, the workflow uses the appropriate method to identify the date of the last password change to determine the number of days before the password expires and whether or not the reminder threshold has been reached.

  • On-premises AD: Get the last password change date using a remote action, then evaluate the result against a defined expiration policy and reminder threshold. If the number of days, until a password expires, reaches the threshold, notify the employee using a Teams message. If the employee has the Password never expires flag set, the workflow exits with the appropriate exit code.

  • Entra ID: The logic here is very similar except that it uses a GraphAPI call (LastPasswordChangeDateTime) to get the last password change date. If the number of days, until a password expires, reaches the threshold, notify the employee using a Teams message.

Workflow reminds employees to change their password with a Microsoft Teams message

Below is an example of what the Microsoft Teams message will look like in the employee's Teams application:

RELATED TOPICS

Last updated

Was this helpful?