Configuration guide: Proactive password reset

Introduction

To get started with this workflow, please ensure all related content is installed and configured appropriately. This page provides guidance on which content is included and how to configure it.

Please keep in mind this is just a guide and represents suggested configurations. You are free to customize and edit content as you see fit based on your specific environment.

Pre-requisites

This library pack contains content from the following expansion products

Content and dependency

This library pack contains the following content and dependencies:

Type	Name	Description
Workflows	Proactive password reset orchestration	Workflow to orchestrate a more powerful password reset process.
Campaigns	Password expiry warning - workflow invoke	Warns the user that their password is about to expire and shows a link where they can change the password.
	Password expiry warning	This is a remote action campaign initiated by the Invoke remote action with a proactive password reset. Warns the user that their password is about to expire and shows a link where they can change the password.
Remote Actions	Invoke proactive password reset	Checks password expiration date and if it is within the time frame provided by the input parameter, runs a campaign to warn the user (providing link to reset the password).
	Get password expiry for Entra ID endpoints	This remote action is designed for use with endpoints that are Entra ID joined (full Microsoft cloud attached scenarios) and should be executed from a Nexthink Flow.

Type

Name

Description

Workflows

Proactive password reset orchestration

Workflow to orchestrate a more powerful password reset process.

Campaigns

Password expiry warning - workflow invoke

Warns the user that their password is about to expire and shows a link where they can change the password.

Password expiry warning

This is a remote action campaign initiated by the Invoke remote action with a proactive password reset. Warns the user that their password is about to expire and shows a link where they can change the password.

Remote Actions

Invoke proactive password reset

Checks password expiration date and if it is within the time frame provided by the input parameter, runs a campaign to warn the user (providing link to reset the password).

Get password expiry for Entra ID endpoints

This remote action is designed for use with endpoints that are Entra ID joined (full Microsoft cloud attached scenarios) and should be executed from a Nexthink Flow.

Configuration

Step 1) Install library pack content

Go to the Nexthink Library and install all required content.

Step 2) Set up a registered Microsoft Entra ID app and configure Microsoft Graph API connector credentials

Refer to the following documentation page to register the Microsoft Entra ID application and configure the appropriate connector credentials in Nexthink: Entra ID integration for workflows.

For this workflow, the registered Entra ID application must be granted the following permissions:

Permission type	Least privileged permissions
Delegated	User.Read.All GroupMember.ReadWrite.All Device.ReadWrite.All Directory.Read.All Mail.Send
Application	User.Read.All GroupMember.ReadWrite.All Device.ReadWrite.All Directory.Read.All Mail.Send

Permission type

Least privileged permissions

Delegated

User.Read.All
GroupMember.ReadWrite.All
Device.ReadWrite.All
Directory.Read.All
Mail.Send

Application

User.Read.All
GroupMember.ReadWrite.All
Device.ReadWrite.All
Directory.Read.All
Mail.Send

For detailed information about permissions, see the Graph API documentation:

Microsoft Graph REST API v1.0 endpoint reference - Microsoft Graph v1.0

Step 3) Configure global parameters

There are three global parameters in this workflow:

3.1) Password expiration policy in days (password_expiration_policy_in_days)

This parameter contains the password expiration policy in days, for example, once in how many days the password must be changed or it will expire. Below are default values of these parameters:

Name	Default value	Description
Password expiration policy in days	90	The number of days until user passwords expire, as defined by your organization.
Reminder threshold	30	The number of days before user passwords expire when users must be notified to change their passwords.

Name

Default value

Description

Password expiration policy in days

The number of days until user passwords expire, as defined by your organization.

Reminder threshold

The number of days before user passwords expire when users must be notified to change their passwords.

3.2) Reminder threshold (reminder_threshold)

This parameter contains the number of days before the password expires that the user should be notified of the upcoming password expiration.

Step 4) Configure remote action(s)

This workflow uses the following remote actions. Make sure to install the latest versions and complete the setup as below.

Name	Trigger	Parameters to edit
Invoke proactive password reset	API trigger should be enabled so that it can be triggered from the Workflow	The following RA input parameters will be overridden by workflow parameters and must have the Allow user to enter custom values option enabled: DaysUntilExpiration PasswordExpirationPolicyInDays
Get password expiry for Entra ID endpoints	API trigger should be enabled so that it can be triggered from the Workflow	The following RA input parameters will be overridden by workflow parameters and must have the Allow user to enter custom values option enabled: pw_reset_threshold last_password_change_date_time reminder_threshold

Name

Trigger

Parameters to edit

Invoke proactive password reset

API trigger should be enabled so that it can be triggered from the Workflow

The following RA input parameters will be overridden by workflow parameters and must have the Allow user to enter custom values option enabled:

DaysUntilExpiration
PasswordExpirationPolicyInDays

Get password expiry for Entra ID endpoints

API trigger should be enabled so that it can be triggered from the Workflow

The following RA input parameters will be overridden by workflow parameters and must have the Allow user to enter custom values option enabled:

pw_reset_threshold
last_password_change_date_time
reminder_threshold

Invoke proactive password reset - Input parameters

Name	Default value	Description
CampaignId	password_expiry_warning	ID of the campaign to notify the user that the password is about to expire and to provide the URL to reset it
DaysUntilExpiration	This input parameter will be overridden by workflow parameters and must have the Allow user to enter custom values option enabled.	Number of days left for the password to expire. If expiration date is inside this time frame, the campaign is run
MaximumDelayInSeconds	60	Maximum random delay set to avoid domain controller overload. Provide number of seconds less than 600
PasswordExpirationPolicyInDays	This input parameter will be overridden by workflow parameters and must have the Allow user to enter custom values option enabled.	Number of days for the password to expire since it is set.

Name

Default value

Description

CampaignId

password_expiry_warning

ID of the campaign to notify the user that the password is about to expire and to provide the URL to reset it

DaysUntilExpiration

This input parameter will be overridden by workflow parameters and must have the Allow user to enter custom values option enabled.

Number of days left for the password to expire. If expiration date is inside this time frame, the campaign is run

MaximumDelayInSeconds

Maximum random delay set to avoid domain controller overload. Provide number of seconds less than 600

PasswordExpirationPolicyInDays

This input parameter will be overridden by workflow parameters and must have the Allow user to enter custom values option enabled.

Number of days for the password to expire since it is set.

Get password expiry for Entra ID endpoints - Input parameters

Name	Default value	Description
pw_reset_threshold	This input parameter will be overridden by workflow parameters and must have the Allow user to enter custom values option enabled.	This value should match the password reset policy value in days which is set in Entra ID. It must be provided to perform the calculation
last_password_change_date_time	This input parameter will be overridden by workflow parameters and must have the Allow user to enter custom values option enabled.	The date and time that the password was last reset which is provided using the API widget contained in the Nexthink Flow
reminder_threshold	This input parameter will be overridden by workflow parameters and must have the Allow user to enter custom values option enabled.	This input value is the expiry countdown (number of days) at which you would like the user to begin being prompted to perform a password reset. When the threshold is active the user will be reminded on each Flow execution

Name

Default value

Description

pw_reset_threshold

This input parameter will be overridden by workflow parameters and must have the Allow user to enter custom values option enabled.

This value should match the password reset policy value in days which is set in Entra ID. It must be provided to perform the calculation

last_password_change_date_time

This input parameter will be overridden by workflow parameters and must have the Allow user to enter custom values option enabled.

The date and time that the password was last reset which is provided using the API widget contained in the Nexthink Flow

reminder_threshold

This input parameter will be overridden by workflow parameters and must have the Allow user to enter custom values option enabled.

This input value is the expiry countdown (number of days) at which you would like the user to begin being prompted to perform a password reset. When the threshold is active the user will be reminded on each Flow execution

Step 5) Configure campaigns

There are four campaigns in this workflow:

Campaign name	Campaign NQL ID	Description
Password expiry warning	password_expiry_warning	Warns the user that their password is about to expire and shows a link where they can change the password. This is a remote action campaign initiated by the Invoke remote action with a proactive password reset.
Password expiry warning - workflow invoke	password_expiry_warning_workflow_invoke	Warns the user that their password is about to expire and shows a link where they can change the password.

Campaign name

Campaign NQL ID

Description

Password expiry warning

password_expiry_warning

Warns the user that their password is about to expire and shows a link where they can change the password.

This is a remote action campaign initiated by the Invoke remote action with a proactive password reset.

Password expiry warning - workflow invoke

password_expiry_warning_workflow_invoke

Warns the user that their password is about to expire and shows a link where they can change the password.

These campaigns should be modified before use to ensure that they match corporate communication guidelines. Navigate to the manage campaigns administration page to review and edit your campaigns.

For each installed campaign, please ensure to:

Customize the sender name and image.
Review and adjust questions.
Publish the campaign when you are ready to use it.

Step 6) Schedule the workflow

This workflow is designed to run on all Windows devices, including devices connected to an on-premises Active Directory or Entra ID.

Schedule trigger recommendation

We recommend creating a workflow schedule that runs the workflow once every 3 days because the workflow contains two-day delays for users to change their passwords.

The example below shows what a query looks like when selecting Windows devices.

NQL:

devices
| where operating_system.platform == windows and device.license_type != server
| list name, operating_system.name, operating_system.build, last_seen

Usage guide

Your content is now configured and ready to be used. For usage overview and recommendations, you can visit the usage guide:

Usage guide: Proactive password reset