External User Password reset for O365.

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

I recently completed a cutover mailbox migration from Exchange 2010 to Exchange Online (O365) and was just wondering if their was many of you guys in this forum that had also taken the plunge and if you have come across the following little niggle.

During the planning stage of my cutover migration to Office 365 I decided to use Dirsync, I stumbled across the issue that users that do not touch our domain directly and currently use OWA to reset their password when there out and about will not longer be able to reset their password themselves.

This is obviously because users cannot change there password via the Office 365 Portal because dirsync does not sync back down. When I started searching further into this issue I came across a lot of articles and forum posts on the O365 site where people were stumbling into the same issue and Microsoft's poor resolution for this was for users to log calls with their internal IT and get their password reset, which really isn't feasible when you have a lot of users and a policy set for their password to reset every so often.

Obviously a quick solution to this so your service desk doesn't get bombarded by password reset calls is to purchase some password reset software such as the one by managed engine so users can visit a site and still securely reset their domain password.

I have now completed our Cutover mailbox migration to O365 and Dirsync is working fine. We currently still have an on premise version of SharePoint which we plan to migrate but for the time being external users can reset their password via our on premise SharePoint site.
Anyway yesterday I stumbled across the fact that Microsoft are now looking to release (and I believe its in a beta state at the moment) the feature for domain passwords to sync back down via Dirsync. However when reading the article on this I have come across the fact that you need to upgrade your sync'd Azure AD version to AD Premium.

I was very interested in this as this would mean users can continue as they use to by resetting there password in OWA. Not only this but Microsoft's steps for this are very secure (user gets a text message etc.)

My point is I've contacted my Microsoft reseller I use, to get some pricing on upgrading our Azure AD to premium and the price is ridiculous. Considering that in some ways this is actually a design fault with Office 365 and DirSync I don't think you should then be made to pay more for Azure AD premium to resolve the issue. I worked out that via my Microsoft reseller I was looking at nearly £500 a month to get the premium Azure AD just to be able to use this password reset feature.

Was just wondering if anyone else has come across this, was quite happy when I saw Microsoft were fixing this however this smile was quickly squashed when I saw they were charging you for it. Looks like we will be sticking to purchasing a much cheaper password reset solution for external users such as Managed Engine, which will cost nowhere near as much as this.

How to configure password reset to write passwords back to on-premises AD

I understand charging more for Azure AD Premium because it seems like it has a lot of benefits especially if your hosting other App's in Azure however for an organization that only users Office 365 and not any other Azure features it seems crazy to make them upgrade to AD Premium just to be able to sync back down their passwords.

Would be interested to hear other peoples opinions in this situation.

 

We decided to go with it to give us a DR solution for our corporate e-mail basically. Also for what Office 365 costs, its a really good deal when you consider everything you get, furthermore we only have a small IT Team and it will be one less thing for us to have to worry about supporting, upgrading, managing etc.

There just seems to be a few a bits and bobs they don't seem to have knuckled down yet, and to me there quite annoying issues which for how long its been going i would think they would have these sorted.

Perhaps you could shed some light on another feature, to manage Exchange attributes such as setting an Alias etc do you tell people ADSI edit is the way to go for this, Im yet to pass on the day to day support to service desk and dont really see telling them to make changes in ADSI edit as a comfortable idea. Ive also briefly read up about Microsoft suggesting you keep your on premise Exchange installed and you can manage it through the MMC?