Set Up Self Service Password Reset in Office 365 (Cloud Identities)

Microsoft’s Enterprise Mobility + Security (EMS) is a combination of products under Microsoft’s portfolio. At first glance, it is basically can relate to modern work space. Right now, when we talk about Modern work space, the first thing which come to our mind is all about how secure we are and is this work space is really comfortable for our users. Considering all these, Microsoft has bundle below five components to Microsoft EMS+S.

  • Azure Active Directory Premium
  • Microsoft Intune
  • Azure Rights Management
  • Microsoft Advanced Threat Analytics (ATA)
  • Cloud App Security (CAS)

All in all, you can think of Microsoft EMS+S as a device-management and virtual-identity-management suite. However, in a cloud-based world where employees want to work from all of their devices, Microsoft EMS+S allows your IT team to gain the maximum security and control.

Azure Active Directory Premium edition is a paid offering of Azure Active Directory and it includes the following features:

  • Self-service password reset
  • Company branding
  • Group-based application access
  • Self-service group management
  • Advanced security reports and alerts
  • Multi-Factor Authentication
  • Forefront Identity Manager (FIM)

As a Part one of the EMS+S, today, I am going to enable one feature which is falling under Azure Active Directory Premium (AAD) which is Password Reset.

So lets see how we enable the Password reset for you users.

    Set Up Self Service Password Reset in Office 365 (Cloud Identities)

    Set up SSPR

    1. Sign in to Azure Portal
    2. Choose More Services -> Azure Active Directory


        3. Select Password reset


       4. From Properties, select All for Self service password reset enabled.


     5. [OPTIONAL] Selecting Selected for Self service password reset enable helps you control the set of users who can reset their passwords. Users’ group membership controls this restriction. (If you chose to restrict access to    password reset, Please move to step 6. Otherwise, skip to step 7.)


        6.[OPTIONAL] From the Select groups, pick the security or distribution groups that contain users who will have access to SSPR

        7.Next, from Authentication Methods, select the alternate identity verification methods available to users.


    8.Number of methods required to reset, will configures the minimum number of alternative identity verification methods a user must have in order to reset the password.

    9.Next in the Registration, Select Yes or No for Require users to register when signing in? (Selecting the option Yes will force users to register alternative identity verification methods when they sign in. Otherwise the administrator will have to set identity verification options for users manually or will have to direct users to to set this information. If you choose Yes for this, then move to step 10 or otherwise skip to step 11.)


    10. Enter a value for Number of days before users are asked to re-confirm their authentication information. (This value controls the number of days before the service prompts users to verify/update their alternative identity verification information. You can specify a number between 1-730. Setting 0 here will not ask users to verify/update their alternate identity verification methods.)

   11. From the Notification, you can enable notifications to be sent to users when they reset their own passwords through SSPR.


     12. Selecting Yes to Customize helpdesk link will allow you to set a custom email address or a URL for Contact your administrator link in password reset wizard.


     13. Enter the desired URL or the email address for the help desk if you select Yes to above option.

    Users Registering for SSPR

   14. If you enabled registration while sign in, users will be asked to setup the alternate identity verification methods. (This will be the same screen users see when they access the self service password reset registration URL manually as well.)


   15. To setup the authentication phone, click on Set it up now. Select the country and enter the phone number and select either text me or call me.


16. If you choose to have Microsoft called you, you will need to answer the call and press # key to verify the number. If you choose to receive a text message, as seen below, you will have to enter the verification code that it sends.


17. To set up the authentication email address, click on set it up now. Enter the email address and click email me. Once you receive the email with the verification code in the mail, enter it and verify.

18. Once you have set up the minimum number of authentication methods required by the administrator or more, you can click Finish.



Azure Information Protection client files and usage logging details for inquiries!!


When we are talking about data classification and  data protection, one of the major concern which customer are asking is, can we have a audit if they want to identify who has done the classification changes to the documents. The reason for this is in case of a audit requirement, they might need to check who has done the changes to the documents. However, so far the log files are storing in respective individual machines and not in a central data base or in a cloud. Therefore, we have to grab the details in the individual machines for this matter. Therefore, there are few log files which you need to go through. All these log can be seen in Event viewer.


There are few log files which you will need in case of a Administration or Auditing.

The events include the following information:

· Date, client version, policy ID

· Signed in user name, computer name

· File name and location

· Action:

o Set Label: Information ID 101​

o Set Label (lower): Information ID 102​

o Set Label (higher): Information ID 103​

o Remove label: Information ID 104​

o Recommended tip: Information 105​

o Apply custom protection: Information ID 201​

o Remove custom protection: Information ID 202​

o Sign in (operational): Information ID 902​

o Download policy (operational): Information ID 901

Further the Azure Information Protection Client Files are located in 3 locations as below;
For 64-bit operating systems: \ProgramFiles (x86)\Microsoft Azure Information Protection

  • For 32-bit operating systems: \Program Files\Microsoft Azure Information Protection

Client logs files and currently installed policy file:

  • For 64-bit and 32-bit operating systems: %localappdata%\Microsoft\MSIP

On my Next Blog I will show you how you can collect all these logs in to one location and do the auditing rather than finding through individual machines. For the moment the configurations are still going on and in this manner, I am trying to use OMS and SysLog server for this process. Let’s hope for the best and let’s wait for the outcome.

Download Microsoft Azure Information Protection Tool (AIP) for your Devices


Good Day!

In case if you need to download the AIP tool for your relevant device type as a viewer or owner, kindly look in to the below URL’s and get it download for yourself.

If you are a Windows Desktop User click the below link to get the latest Application.

For MAC, iOS and Android Users, you can refer to the below link.


Note– However, mobile device users such as Android, Windows Mobile and iOS users can go to their relevant App Portal (Apple Store, Play Store and Windows Store) and search for the Microsoft Information Protection App and get it installed to read the protected documents.

Configure Android for Work Binding for Microsoft Intune


Step 3- Log in to Google using your Google Account.
On Google’s sign-in page, enter the Google account that will be associated with all Android for Work management tasks for this tenant


Step 4- Finally Click Confirm Tab to Complete the BIND of Android for Work with Microsoft Intune portal.


Step 5- Click Complete Registration.


Step 6- After the Registration Completes, you can see the Integration status of Android for Work + Microsoft Intune. Once the Sync is Complete, you will be able to visible Work Application you have purchased under Volume Purchased App Location. Check Figure 7.


Step 7 – Volume Purchased App Location as below. All the apps which you have purchased can visible in the below location


Note- The same method you can use for iOS Devices as well and all the Apple Volume Purchase Program (Apple – VPP) can integrate too.

How to Manage Rooted Devices Using Intune Mobile Application Management Policies


In this Blog I am going to show you how we identify the Rooted devices which your users are using in your environment. This is basically covering under Microsoft Intune Mobile Application Management feature. Basically, here we protect LOB Apps using MAM Policies but WITHOUT Enrolling it with Intune. So how we do this ?

It is very straight Forward.

Step1- Create an Application Policy based on my Previous Blog Article which mentioned HERE.

Step2- On the Policy Configuration Tab, Configure the below option in case if you need to identify the Rooted devices. In this scenario, I am going to use the Android Device which I have rooted using Cynogen Mode :).

Note- In case if you Don’t want Users to Access using the Rooted devices, You can simply Block them even without letting them to open any of the LOB Documents.


Step 3- Once you configured Policies based on the above way, you will get a Notification on the Dash Board Under the Flagged Users area as shown in below screen.


Step 4- Further, when you click the Flagged User Tab, you can find the User and the Device Details as follows.


Step 5- In case if you Block the Rooted Device for users you will get a notification like this in your device.


Hope the above step gives you some idea how to manage Rooted Devices.


Protect line-of-business apps and data on devices that are not enrolled in Microsoft Intune

Note- Before you add the Line-Of-Business Apps to the MAM Portal, make sure to WRAP it using Android App Wrapper Tool.

Step-1 Go to and search for Intune Mobile Application Management


Step2- Go to App Policy and Create a New Policy using Add a Policy Option


Step 3- Type a Name to the Policy and Select the Mobile Platform Version. So in my case I have selected the platform as Android.


Step 4- After that finished just add the Application which you want to Manage. By default, there are few applications available and in case if you have inhouse developed application, you can add it as well. In this case I am going to add a custom application.


Step 5- Click More Apps and Type the Package ID which basically goes as This you can get from the developer. Package ID is the identifier for your LOB app. Once you add the wrapped app in to the More Apps, you will be able to see it listing down in your Application list.


Screen clipping taken: 07/06/2017 14:54


Screen clipping taken: 07/06/2017 14:42

Step 6- Once that is completed, Next you have to configure the policies for your Application. Basically in here you can configure all the policies you want to bind with your app. Click Create option once you completed these configurations.


Step-7- Once the policy creation is done, you must assigned the users to the same policy. The user who is signed in to this app will get all the policies you have define in this policy settings.


Step 8- Click Assignments to Add user Groups. In my case I have a separated user group for Android users only. Click Select Option to add the user groups.


Step 9- Once the above completion is done you must install the LOB app in to your device and try to access it and see how the behaviour is and further the policies you have define is working or not.

In addition to that on the main page you will get all the notification for these and even if user is using a Rooted device, you will get the notification under Flagged Users View.


How to Add a Friendly Name to Configuration Manager Application Catalog Web Portal

In case if you need to hide your server name in Configuration Manager App Catalog or if the default name is too long to remember, you can simply follow the below steps to Add a friendly name to it.

Step- First you must Create a CNAME based on follow screen. You can use any Alias name you prefer for this.


Step 2- Once the CNAME creation completed, make sure to Restart the DNS service.


Step 3- Once the DNS Restart competed, Open the IIS Server in Configuration Manager server and Go to Binding under Default Web Site.


Step 4- Add a New Binding under the Host Name and Type the Same FQDN (Friendly Name) which you mentioned in your CNAME Record.


Step 5-Once the Binding settings done, Restart the IIS service and Open the Configuration Manager Server Console. Remove the existing Application Catalog Website and Change the Web Application Name the way you want and also Change the Netbios Name which going to use for the App Catalog URL.


Step 6- After that, Go to Configuration Manager Agent Settings and Under Computer Agent / Set Website/ Select the NetBios Name and Save the Client Settings. Once that is completed, manually push the Computer Policies to the device collections.


Step 7- After a while verify the URL works with new name.