Hi Ricardo
Yes it is definitely do-able, I’ve done this on a few implementations. In my case, we also set the AD source as the authentication source on the Identity Profile while simultaneously enabling SSO authentication for IdentityNow. On the MS login page, we had the Entra Team add this text with hyperlink to SailPoint Password reset:
Things to consider,
-
AD restrictions on how often a password can be changed for a user in a period of time - this is a security setting, check what it is in your org, we allowed multiple but set IDN to lock after 5 failed attempts.
-
email address and mobile data accuracy in IDN - ensure you have an accurate source for uses to have this data on their identity in IDN, we synced these details from HR source as alternate mobile and alternate email and users were able to update this via self service in their HR profile.
-
Importantly is communication to new users, you could use workflow to send an email to the new users with instructions or guide to set their password for first use.
Hope that helps.