As we manage our ICT authorization centrally via Active Directory, we are using Microsoft authentication (local AD) to login in our Thinkwise application.
There are quite some users who don't have a Windows device but only a mobile to device with the Thinkwise application (Universal UI) to login with the AD-user.
When the AD-user password expires, the user can't login anymore.
It would be great if Thinkwise could:
- determine if a Windows password has expired (display expiration info instead of a unable to login)
- create a “Change password” functionality for Windows authenticated users
Hi,
Changing AD passwords via Indicium may introduce a security risk that makes it possible to compromise an AD account. Supporting this is not something that we want to do. We do support the idea of showing a message to the user that his/her password has expired.
Feel free to create a separate idea for this.
In the case the users are only using the Universal GUI, you could also make them of type External authentication and let the authentication of users take place outside of IAM.
Microsoft recommends not applying any password change policy on passwords in Active Directory. This usually leads to a less secure password as users have to replace their old password with a new one. This new one may not be much different or any more complex than the previous one.
We recommend forcing users to increase the complexity of their passwords by for example increasing their length, let users use a password manager and let users use two-factor authentication.
More on it here: https://docs.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide#password-guidelines-for-administrators