Enable Azure AD self-service password reset

Sign in to the Azure portal using a Global Administrator account.

Click Azure Active Directory -> Password reset

Start with a pilot group by enabling self-service password for a subset of users in your organization.

  • From the Properties page, under the option Self Service Password Reset Enabled, choose Selected and pick a pilot group
    • Only members of the specific Azure AD group that you choose can use the SSPR functionality
    • Nesting of security groups is supported here.
    • Ensure the users in the group you picked have been appropriately licensed
  • Click Save

On the Authentication methods page

  • Set the Number of methods required to reset to 2
  • Choose which Methods available to users your organization wants to allow
  • Click Save

On the Registration page

  • Select Yes for Require users to register when signing in
  • Set Number of days before users are asked to reconfirm their authentication information to 180
  • Click Save

On the Notifications page

  • Set Notify users on password resets option to Yes.
  • Set Notify all admins when other admins reset their password to Yes

On the Customization page

  • Set Customize helpdesk link to Yes and provide either an email address or web page URL where your users can get additional help from your organization in the Custom helpdesk email or URL field

Self-service password reset is now configured for cloud users in your pilot group.

Windows Autopilot is coming in Windows 10 version 1709

With Windows Autopilot you can deploy Windows 10 devices with a zero touch experience as configuration profiles can be applied at the hardware vendor, meaning that you can ship the devices directly to your employees! You can also apply an Autopilot deployment profile to your devices using Microsoft Store for Business.

Another cool feature that is coming is Autopilot Reset.
Now your admins can use the Autopilot Reset feature to quickly remove personal files, apps, and settings, just like the wipe feature for mobile devices in Intune.

Enforce MFA for users

When you create your administrators, including your global administrator account, it is essential that you use very strong authentication methods.

To check who in your organization has administrative privileges you can verify by using the following Microsoft Azure AD PowerShell command

Get-AzureADDirectoryRole | Where { $_.DisplayName -eq “Company Administrator” } | Get-AzureADDirectoryRoleMember | Ft DisplayName

As long as your users have licenses that include Azure Multi-Factor Authentication, there’s nothing that you need to do to turn on Azure MFA. You can start requiring two-step verification on an individual user basis.

The licenses that enable Azure MFA are

  • Azure Multi-Factor Authentication
  • Azure Active Directory Premium
  • Enterprise Mobility + Security

How to enable MFA

Sign in to the Azure portal as an Global Admin

Go to Azure Active Directory -> Users and groups -> All users

Select Multi-Factor Authentication

Find the user you want to enable for Azure MFA.

Check the box next to their name.

On the right, under quick steps, choose Enable or Disable