Learn
Documentation
Support
Community

Usage guide: Proactive password reset

This page outlines various ways to use the pack, including use case examples. Administrators can refer to the Configuration guide to set up and customize the installed content.

The Workflow: Proactive password reset library pack enables EUC teams to:

  • Reduce the risk of unauthorized access to company systems and sensitive information through prompt password changes.

  • Proactively reminding employees about password expiration and providing support across multiple communication channels can enhance the overall employee experience and alleviate frustration.

Library pack uses

Jump to Use cases on this page to see relevant scenario applications.

Use the library pack content for the following purposes.

Visibility

This library pack focuses on the 'Proactive password reset' workflow. This workflow is designed to help automate the sending of password expiration reminders to employees through multi-level checks and reminders via campaigns and emails. With support for both on-premises Active Directory domains and Entra ID environments, the workflow provides a universal way to help reduce the disruption caused by expiring passwords and the IT support workload associated with this issue.

Workflow triggering

This workflow is designed to run on all Windows devices, including devices connected to an on-premises Active Directory or Entra ID.

Schedule trigger recommendation

We recommend creating a workflow schedule that runs once every 3 days because it contains two-day delays for employees to change their passwords.

The example below shows what a query looks like when selecting Windows devices.

NQL:

devices
| where operating_system.platform == windows and device.license_type != server
| list name, operating_system.name, operating_system.build, last_seen

Predefined workflow structure and steps

The Proactive password reset - Microsoft Teams workflow is structured in these main steps:

  1. The workflow confirms that the employee's account is part of Microsoft Active Directory (AD) or Microsoft Entra ID.

  2. Depending on whether the account is linked to AD or Entra ID, the workflow checks the number of days before the password expires and whether or not the reminder threshold has been reached.

    1. The following workflow parameters need to be defined:

      1. Password expiration policy in days, which defines the number of days after the last password change before the password expires. This number should be taken from the organization's password management policy.

      2. Reminder threshold, which defines the number of days before the password expires that employees must be notified of the password expiration and asked to change their password.

  3. When the defined "reminder threshold" is reached, the workflow notifies employees of their password expiration via a campaign.

  4. After 48 hours of notifying users via campaigns, the workflow will re-visit the employee's password expiration date and remind them to change their password on behalf of their manager if the password hasn't been changed.

Workflow confirms that the employee's account is part of Microsoft Active Directory (AD) or Microsoft Entra ID

The first block of conditions, one on top of the other, is necessary to ensure coverage of both on-premises and hybrid environments (on-premises AD and Entra ID hybrid). It determines whether the device is joined to the local Active Directory or is a member of Entra ID. These conditions evaluate the Membership Type property and the presence of a device-distinguished name. The device is considered a local AD member if the membership type is domain and the distinguished name is present. Otherwise, it is considered an Entra ID member.

Workflow checks the number of days before password expiry and whether the reminder threshold is reached

Depending on whether the account is linked to AD or Entra ID, the workflow uses the appropriate method to identify the date of the last password change to determine the number of days before the password expires and whether or not the reminder threshold has been reached.

  • On-premises AD: Use a remote action to get the last password change date, then evaluate the result against a defined expiration policy and reminder threshold. If the number of days until a password expires reaches the threshold, notify the employee using a Teams message. If the employee has the Password never expires flag set, the workflow exits with the appropriate exit code.

  • Entra ID: This is the same as above, except it uses a GraphAPI call (LastPasswordChangeDateTime) to get the last password change date. If the number of days until a password expires reaches the threshold, notify the employee using a Teams message.

Workflow reminds employees to change their password with a campaign

If the calculated number of days before the employee's password expires reaches the defined "reminder threshold", the employee will receive a campaign reminding them to change their password.

Workflow reminds employees to change their password on behalf of their manager

Otherwise, the workflow determines the employee's manager from Entra ID and then sends an email to the employee on behalf of their manager with a reminder to change the password. Below is an example of such an email reminder:

RELATED TOPICS

Last updated

Was this helpful?