Paul Andrew is technical product manager for Identity Management on the Office 365 team.
Today we are adding two Identity and Access Management features to the Office 365 subscription, which were previously only available with an additional Azure Active Directory (AD) Basic, Azure Active Directory (AD) Premium, or Enterprise Mobility Suite subscription. The new features are the Sign in page and Access Panel company branding and cloud user self-service password reset. These two new features are beginning to roll out for Office 365 customers starting today.
Sign in page and Access Panel company branding
The first feature is company branding for the Sign in page and the Azure AD Access Panel, where users select a software as a service (SaaS) application to sign in to. Now, Office 365 customers can customize the Sign in page and Access Panel with the text, color and images of their choosing. This is in addition to the Office 365 tenant branding that can be used to apply custom text, color and images for the Office 365 service as shown after the user is signed in.
Once you have configured custom sign in branding, your users will see the branded Sign in page after they have entered their User Principal Name (UPN), which includes your domain name. You can show an initial branded page by using the WHR parameter on the Sign in page URL. Simply replace “woodgrove.com” with your domain name in the URL below and the initial page will include your customizations.
More information about company branding for Sign in and Access Panel pages is available here.
More information about custom themes for Office 365 is available here.
Cloud user self-service password reset
The second feature is the self-service password reset, which allows a user to reset their password should they forget it, using pre-arranged alternate personal information. First, the admin for the tenant must enable the tenant for user password reset. Next, each user must configure alternate personal information in the Office 365 portal. To do this, follow these steps:
- Click the Cog icon in the top right of the Office 365 portal window and select Office 365 Settings.
- Click the Password tab to see what details are used for password reset requests.
- Click Update them now to be taken to the Me tab.
Once the user configures their alternate personal information, they can reset their password if they forget it by clicking the Can’t access your account? link on the Office 365 Sign in page at http://portal.office.com.
The Office 365 tenant administrator will still need to reset the users password for them if the alternate personal information is not configured. The user cannot call Microsoft support to get their password reset. Self-service password reset functionality is available for Office 365 users who are cloud-based only and do not require write back of the updated password to an on-premises server. It is also available for all Office 365 administrative accounts. Self-service password reset for an on-premises managed user requires password write back to the on-premises Active Directory. For this an Azure AD Premium or Enterprise Mobility Suite subscription would be required.
|Subscription||User type||Password reset||Change password|
|Office 365||Cloud user||Self-service password reset||Password changed once signed in|
|Office 365||Synchronized on-premises user||User must contact the tenant administrator||Password changed once signed in|
|Azure AD Premium or Enterprise Mobility Suite||Cloud user or synchronized on-premises user||Self-service password reset||Password changed once signed in|
|Office 365 and Azure AD Premium or Enterprise Mobility Suite||Cloud user or synchronized on-premises user||Self-service password reset||Password changed once signed in|
|None||Cloud user or synchronized on-premises user||Contact administrator||Password changed once signed in|
In addition to phone and email as options for users to confirm their identity when resetting their password we now also have security questions in public preview.
More details about self-service password reset are here.
Azure AD features included in Office 365 and available separately
In this Office Mechanics show, Nasos Kladakis and Jeremy Chapman describe the new unified sign in capabilities with third-party Cloud applications included as part of Office 365, demonstrate custom Sign in pages and cover what is in Azure AD Premium.
A table of Azure AD features that are available in separate editions of Azure AD is published here. The following table matches the table on the MSDN page and shows of the Azure AD features included with Office 365 subscriptions.
|Common features||Directory as a service||No object limit|
|User and group management using UI or Windows PowerShell cmdlets|
|Access Panel portal for SSO-based user access to SaaS and custom applications||Up to 10 apps per user|
|User-based application access management and provisioning|
|Self-service password change for cloud users|
|Directory synchronization tool–For syncing between on-premises Active Directory and Azure AD|
|Standard security reports||3 standard reports|
|Premium and Basic features||High availability SLA uptime (99.9%)|
|Group-based application access management and provisioning|
|Customization of company logo and colors to the Sign in and Access Panel pages|
|Self-service password reset for cloud users|
|Premium-only feature||Self-service group management for cloud users|
|Self-service password reset with on-premises write-back|
|Microsoft Identity Manager (MIM) server licenses–For syncing between on-premises databases and/or directories and Azure Active Directory|
|Advanced anomaly security reports (machine learning-based)|
|Advanced application usage reporting|
|Multi-Factor Authentication service for cloud users||Limited features|
|Multi-Factor Authentication server for on-premises users|
Azure AD has usage reports that are available as part of Azure AD Premium.
This table shows the availability of those reports for Office 365 subscriptions:
|Report||Included in Office 365 subscription|
|Sign ins from unknown sources|
|Sign ins after multiple failures|
|Sign ins from multiple geographies|
|Sign ins from IP addresses with suspicious activity||Requires AD Premium|
|Sign ins from possibly infected devices||Requires AD Premium|
|Irregular sign in activity||Requires AD Premium|
|Users with anomalous sign in activity||Requires AD Premium|
|Password reset activity||Requires AD Premium|
|Password reset registration activity||Requires AD Premium|
|Groups activity||Requires AD Premium|
|Application usage||Requires AD Premium|
For more information about Azure AD reports click here.
Multi-Factor Authentication features for Office 365 subscriptions
For more information about which Multi-Factor Authentication features are included with Office 365 click here.
How to administer Sign-in page branding and Cloud user self-service password reset
To edit the sign-in branding for Office 365 and to manage cloud user self-service password reset you need to use the Azure AD admin portal. Here is a short video showing the Azure AD admin portal that includes configuring sign-in branding for an Office 365 tenant and also where self-service password reset is configured.
Accessing the Azure AD admin portal requires different steps depending on whether you have a trial Office 365 subscription or a paid Office 365 subscription. Here is a short video showing how to access the Azure AD admin portal for a paid Office 365 subscription.
Here is a short video showing how to access the Azure AD admin portal for a trial Office 365 subscription.