Challenge
Our helpdesk was overwhelmed with password reset tickets. While a ManageEngine solution existed, it only worked well for on-prem users. Remote users had to restart or reset passwords twice. We needed a seamless, secure, and modern solution that worked from anywhere.
Tools & Technologies
- Microsoft Entra ID (SSPR)
- Microsoft Entra Connect (Password Writeback)
- ManageEngine Password Sync Agent
- Group Policy Objects (GPO)
Implementation
- Configured SSPR in Microsoft Entra ID:
- Authentication methods
- Registration and notifications
- Targeted Entra security groups
- Enabled password writeback in Microsoft Entra Connect to sync cloud password changes to on-prem AD.
- Configured ManageEngine agents on domain controllers to sync AD password changes to third-party apps (IBM, XA, etc.) within 5 minutes.
- Communicated changes to users and deployed reset links via GPO to desktops and browser favorites.
SSPR Flow Diagram
This placeholder diagram will be replaced with the final version tomorrow:
Impact
- Decommissioned legacy ManageEngine password reset portal, saving around $8000 in recurring licensing costs
- Enabled secure password resets from anywhere using MFA
- Reduced helpdesk tickets significantly, saving man hours
- Unified password reset process across AD, IBM, XA, and other third-party systems