I would like to start this off the same way that many posts on this topic do by defining the difference between password change and password reset. Looking at the two terms they seem like the same thing, but in the wonderful nerdy world that we call our home they are two very different things.
Password Change, the topic of this post, is the ability for an Active Directory user to change their password when they know what their password currently is. Password Reset is when an Active Directory user does not know their password and must provide alternate recovery methods, for example a phone number or security questions. While Password Reset functionality is cool and completely possible with ADFS (psst Password Writeback), that will have to wait for another post. Today we are focused on Password Change with ADFS, introduced in 3.0 to my knowledge, which is most commonly used for resetting expired passwords/newly setup accounts. Without further ado, let’s dig into it.
1. Start by logging into your ADFS server and opening AD FS Management.
2. Expand out Service, select Endpoints, and scroll down to the Other section where you will find /adfs/portal/updatepassword/.
3. Right click on it and choose Enable. Restart the ADFS service and Password Change is now available on the corporate network!
4. Chances are that you want to enable this for users on external networks (where it’s most useful). Do this by right clicking the /adfs/portal/updatepassword/ endpoint again and selecting Enable on Proxy. Restart the ADFS service again and Password Change will be fully enabled!