# Configuration guide: Proactive password reset
{% hint style="warning" %}
The configuration options on this page are only accessible to [administrators](https://docs.nexthink.com/platform/user-guide/administration/account-management/roles).
Refer to the [Usage guide: Proactive password reset](https://docs.nexthink.com/platform/library-packs/l1-support/workflow-proactive-password-reset/usage-guide-proactive-password-reset) to use library content as a standard user.
{% endhint %}
## Prerequisites
This library pack contains content from the following [expansion products](https://docs.nexthink.com/platform/overview/products):
* [Employee Engagement - Campaigns](https://docs.nexthink.com/platform/user-guide/campaigns)
* [Flow - Workflows](https://docs.nexthink.com/platform/user-guide/workflows)
## **Included content and dependencies**
This library pack contains the following content and dependencies:
Warns the employee that their password is about to expire and shows a link where they can change the password.
Password expiry warning
This is a remote action campaign initiated by the 'Invoke proactive password reset' remote action. Warns the employee that their password is about to expire and shows a link where they can change the password.
Checks password expiration date and if it is within the time frame provided by the input parameter, runs a campaign to warn the employee (providing link to reset the password).
Get password expiry for Entra ID endpoints
This remote action is designed for use with endpoints that are Entra ID joined (full Microsoft cloud attached scenarios) and should be executed from a Nexthink Flow.
## Configuring Proactive password reset pack
{% hint style="info" %}
Adapt these suggested configuration steps to edit and customize content according to your organizational needs.
{% endhint %}
Follow these steps to install and configure content:
* Before configuration - Install library pack content from [Nexthink Library](https://docs.nexthink.com/platform/user-guide/nexthink-library)
* [Step 1 - Set up a registered Microsoft Entra ID app and configure Microsoft Graph API connector credentials](#step-2-set-up-a-registered-microsoft-entra-id-app-and-configure-microsoft-graph-api-connector-creden)
* [Step 2 - Configure global parameters](#step-3-configure-global-parameters)
* [Step 3 - Configure remote actions](#step-4-configure-remote-action-s)
* [Step 4 - Configure campaigns](#step-5-configure-campaigns-1)
### Step 1 - Set up a registered Microsoft Entra ID app and configure Microsoft Graph API connector credentials
Refer to the following documentation page to register the Microsoft Entra ID application and configure the appropriate connector credentials in Nexthink: [Entra ID integration for workflows](https://docs.nexthink.com/library/entra-id-integration-for-workflows).
For this workflow, the registered Entra ID application must be granted the following permissions:
| Permission type | Least privileged permissions |
| ------------------------ | ------------------------------------------------------------- |
| Application or Delegated |
User.Read.All
Directory.Read.All
Mail.Send
|
{% hint style="info" %}
This workflow has been tested using the Application permission type. Different environments require different permissions. You should assign permissions according to your environment and know the risks involved.
{% endhint %}
Refer to the [Graph REST API](https://learn.microsoft.com/en-us/graph/api/overview?view=graph-rest-1.0) documentation from Microsoft for more information.
### Step 2 - Configure global parameters
There are two global parameters in this workflow:
#### **2.1 - Password expiration policy in days (password\_expiration\_policy\_in\_days)**
This parameter contains the password expiration policy in days; for example, in how many days the password must be changed or it will expire. Below is the default value of this parameter:
| Name | Default value | Description |
| ---------------------------------- | ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| Password expiration policy in days | 60 |
The number of days until user passwords expire, as defined by your organization. This value can usually be found in your organisation's password policy.
|
#### **2.2 - Reminder threshold (reminder\_threshold)**
This parameter contains the number of days before the password expires that the user should be notified of the upcoming password expiration. Below is the default value of this parameter:
| Name | Default value | Description |
| ------------------ | ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Reminder threshold | 30 |
The number of days before user passwords expire when users must be notified to change their passwords. If the number of days before the user's password expiration is less than the number defined in this parameter, the user will receive a Teams message with a reminder to change the password.
|
### Step 3 - Configure remote actions
This workflow uses the following remote actions. Make sure to install the latest versions and complete the setup as below.
| Name | Trigger | Parameters to edit |
| ------------------------------------------ | --------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Invoke proactive password reset | API trigger should be enabled so that it can be triggered from the Workflow |
The following RA input parameters will be overridden by workflow parameters and must have the 'Allow user to enter custom values' option enabled:
DaysUntilExpiration
PasswordExpirationPolicyInDays
|
| Get password expiry for Entra ID endpoints | API trigger should be enabled so that it can be triggered from the Workflow |
The following RA input parameters will be overridden by workflow parameters and must have the 'Allow user to enter custom values' option enabled:
pw\_reset\_threshold
last\_password\_change\_date\_time
reminder\_threshold
|
#### **Invoke proactive password reset - Input parameters**
| Name | Default value | Description |
| ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------- |
| CampaignId | password\_expiry\_warning | ID of the campaign to notify the user that the password is about to expire and to provide the URL to reset it |
| DaysUntilExpiration | This input parameter will be overridden by workflow parameters and must have the Allow user to enter custom values option enabled. | Number of days left for the password to expire. If expiration date is inside this time frame, the campaign is run |
| MaximumDelayInSeconds | 60 | Maximum random delay set to avoid domain controller overload. Provide number of seconds less than 600 |
| PasswordExpirationPolicyInDays | This input parameter will be overridden by workflow parameters and must have the Allow user to enter custom values option enabled. | Number of days for the password to expire since it is set. |
#### **Get password expiry for Entra ID endpoints - Input parameters**
| Name | Default value | Description |
| ---------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| pw\_reset\_threshold | This input parameter will be overridden by workflow parameters and must have the Allow user to enter custom values option enabled. | This value should match the password reset policy value in days which is set in Entra ID. It must be provided to perform the calculation |
| last\_password\_change\_date\_time | This input parameter will be overridden by workflow parameters and must have the Allow user to enter custom values option enabled. | The date and time that the password was last reset which is provided using the API widget contained in the Nexthink Flow |
| reminder\_threshold | This input parameter will be overridden by workflow parameters and must have the Allow user to enter custom values option enabled. | This input value is the expiry countdown (number of days) at which you would like the user to begin being prompted to perform a password reset. When the threshold is active the user will be reminded on each Flow execution |
### Step 4 - Configure campaigns
There are four campaigns in this workflow:
| Campaign name | Campaign NQL ID | Description |
| ----------------------------------------- | ------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Password expiry warning | password\_expiry\_warning |
Warns the user that their password is about to expire and shows a link where they can change the password.
This is a remote action campaign initiated by the Invoke remote action with a proactive password reset.
|
| Password expiry warning - workflow invoke | password\_expiry\_warning\_workflow\_invoke | Warns the user that their password is about to expire and shows a link where they can change the password. |
These campaigns should be modified before being used to match corporate communication guidelines. Navigate to the [manage campaigns](https://docs.nexthink.com/platform/user-guide/campaigns/managing-campaigns) administration page to review and edit your campaigns.
For each installed campaign, please ensure to:
* Customize the sender name and image.
* Review and adjust questions.
* Publish the campaign when you are ready to use it.
***
RELATED TOPICS
* [Workflow: Proactive password reset](https://docs.nexthink.com/platform/library-packs/l1-support/workflow-proactive-password-reset)
* [Usage guide: Proactive password reset](https://docs.nexthink.com/platform/library-packs/l1-support/workflow-proactive-password-reset/usage-guide-proactive-password-reset)
* [Manage Workflows](https://docs.nexthink.com/platform/user-guide/workflows/managing-workflows)
* [Manage Remote Actions](https://docs.nexthink.com/platform/user-guide/remote-actions/managing-remote-actions)
