Previous Topic Next Topic

Password Policy Enforcer

You can use ADSelfService Plus' Password Policy Enforcer feature to ensure that your users choose strong passwords that meet your organization's password policy and achieve compliance with regulatory norms.

How to configure advanced password policy settings in ADSelfService Plus

1. Log in to the ADSelfService Plus admin portal.
2. Navigate to the Configuration tab. Under the Self-Service section, select Password Policy Enforcer. 
3. Enable Enforce Custom Password Policy.
4. In this section, you can manage:



• Characters: Restrict the number of special characters, numbers, and Unicode characters used in passwords.



• Repetition: Enforce a password history check during password reset, and restrict the consecutive repetition of a specific character from the username (e.g. “aaaaa” or “user01”).



• Patterns: Restrict keyboard sequences, dictionary words, and palindromes, or ensure that users' passwords meet specific criteria by enforcing a regex pattern. Learn more about setting a regex pattern here.
Important note: Ensure that the regex pattern and other password policy rules do not conflict with each other.

If you enable a password policy based on a regex pattern, please ensure that the login agent on user machines is updated to version 6.11 or above, and the ADSelfService Plus app on user devices is at least version 1.7.2 or 1.6.6 for Android or iOS devices, respectively.

• Length: Specify the minimum and maximum password length.

  

5. You can also enable users to bypass complexity requirements when the password length exceeds a predefined limit (e.g. 20 characters).
6. Enter the number of policy settings the user’s password must comply with during self-service password reset and password change operations.
7. To help users create passwords that comply with the enforced policy settings, you can display the password policy requirement on the reset and change password pages.
8. Enforce the configured password policy settings during password resets from the ADUC console and the change password screen.
9. Secure user accounts by verifying whether passwords meet all the configured password policy rules in ADSelfService Plus and checking for compromised passwords usage through the Have I Been Pwned integration during each login attempt.


If the passwords do not satisfy the requirements, users will be forced to change them. This setting can be applied during the following scenarios:

• Web portal login
• Mobile site login
• Mobile app login
• Windows machine login

Note: Enabling this setting may cause a delay during Windows login since the passwords are validated in real time.

If the ADSelfService Plus server is unreachable during machine login, users will be allowed to login based on their MFA configuration. However the password policy enforcer rules will be bypassed.

Note: If you enable or modify any of the settings above and the Password Sync Agent is installed, you need to update the configuration settings in the agent for the changes to take effect. Please refer to these steps to update the Password Sync Agent configurations.

Previous Topic Next Topic