My organization is looking into potentially utilizing SailPoint to manage SSPR information for Entra ID users. The goal is to have SailPoint enable this feature for new AD accounts (which are synced from a local AD environment to Entra ID), and add information such as personal email addresses and cell phone numbers for authentication methods so that when the user attempts to sign in, they can go through the recovery process without having to contact the help desk.
Is this do-it able? If so, anyone that implemented it could provide any pros and cons? Are there any documentations that can be shared?
Yes it is definitely do-able, I’ve done this on a few implementations. In my case, we also set the AD source as the authentication source on the Identity Profile while simultaneously enabling SSO authentication for IdentityNow. On the MS login page, we had the Entra Team add this text with hyperlink to SailPoint Password reset:
Things to consider,
AD restrictions on how often a password can be changed for a user in a period of time - this is a security setting, check what it is in your org, we allowed multiple but set IDN to lock after 5 failed attempts.
email address and mobile data accuracy in IDN - ensure you have an accurate source for uses to have this data on their identity in IDN, we synced these details from HR source as alternate mobile and alternate email and users were able to update this via self service in their HR profile.
Importantly is communication to new users, you could use workflow to send an email to the new users with instructions or guide to set their password for first use.
Thank you for the response, this is actually helpful! A few questions I have if you don’t mind:
1-What happens if a user clicks on the “Forgotten my password” option instead of going through the SailPoint URL?
2-Assuming that the HR source has the incorrect information (e.g., old email address), and the user updates the email address by going into their Azure account directly, and updating the authentication method, will SailPoint overwrite that information back to what the HR source has? I assume yes since you can only add one type of authentication method (can’t add multiple email addresses).
3-Have you heard from the companies that you help implement such changes a decrease of calls / emails to the help desk regarding password resets requests?
1- The Forgot my password was linked to the MS Entra Self-Service Password Reset functionality - the orgs I worked with had not enabled this, however, the link still directed uses through the process which failed eventually, we mitigated this experience through change management and communication.
2- in my cases, we had work email mastered in AD/Exchange, this was synced back to HR, personal email and personal mobile was mastered in HR and synced to IDN you could sync to AD too, but be aware of displaying personal information via the GAL potentially, you could use AD/Azure as master for these too and sync back to HR, this would be technically possible but due to the visibility of personal information on Azure compare through HR, we went the other way around and only allowed users to update on their HR profile.
3- Yes, we actually tracked this for over a year after implemented and saw a drastic reduction in help desk calls for password reset and a huge updake of the self service function, its important to note that this was supported by effective business change management and communication campaigns and eventually help desk no longer accepting such calls and redirecting users to self service, this should be done in stages and gradually remove the depencancy on the help desk.
And good point on the syncing of email / cellphone back to AD. We definitely wouldn’t want to do this given the privacy implications of having people’s personal numbers being set as an attribute, so I will advocate on having those changes made at the HR software.
Also happy to hear it made a positive change on the number of tickets. I think having users just go through the SailPoint password reset makes it more uniform and easier to track.
Thank you again for your answers, I truly appreciate it!
