The Division of Information Technology will be migrating our employee Self-Service Password Reset (SSPR) settings to newer, unified security mechanism within Microsoft 365. This change will occur at approximately 9:00am on Wednesday, October 25th. Here’s what you need to know.
Why did we make this change?
Microsoft is ending support for our existing Microsoft 365 policy settings that affect SSPR in order to better protect Microsoft 365 users from cyberattacks. If we do not make these changes, they will automatically enable a registration campaign that will force users to install the Microsoft Authenticator app on a personal device to reset their own password. We received reports of this happening in our student environment earlier this month and we were able to make the necessary policy changes for students without interrupting or adversely affecting our student Single Sign-On (SSO) environment.
What will change in this migration?
- Security questions for password self-service are no longer supported and will be removed from all user accounts.
- Support will be enabled for 3rd party OATH TOTP token apps (Google Authenticator, LastPass Authenticator, etc.)
- Support for FIDO2 Security Keys (Yubikeys) will be enabled.
Who does this affect?
Self-Service Password Reset users (employees) will be able to reset their password with the following authentication methods:
- FIDO2 Security Key
- Microsoft Authenticator
- Third-party software OATH tokens
- SMS/Phone Call
Note: FIDO2 security keys and OATH tokens can’t be added to your accounts through the login screen or the periodic reminder prompts to verify your password recovery options. Instead, you must click on your user icon in the top right corner of Microsoft 365 and chose ‘View Account’ (https://myaccount.microsoft.com/?ref=MeControl) then use the Security Info tile to add them, if desired.