• State Verified Answer
  • +1 person also asked this people also asked this
  • Replies 6 replies
  • Subscribers 94 subscribers
  • Views 569 views
  • Users 0 members are here
Options
Related

Communicating passwords following user creation

sam cogan
4 months ago

Hi there,

We have a requirement to communicate passwords to users to enable them to login to their device.

OneIdentity Manager is creating AD accounts they are then syncd to EntraID (AzureAD).

Is there a way to create a customised password that uses certain data from the HR system. For example employeenumber/phone number etc. The user would then log into the microsoft self service password reset portal and set their own credentials.

This prevents anyone else from knowing the credentials.

  • +1 4 months ago

    Hi Sam,

    Assuming you're on a relatively new version of One Identity such as V9.<something> (It's always good to mention your version).

    In the manager tool under employees -> basic configuration data -> password policies you can find the password policies. One of these is for 'Active directory password policy'.

    Here you can configure how the AD passwords should be generated, you can add criteria such as the length of the passwords and the characters to be used. If you have special requierments under the tab 'scripts' you can define a generating script which is the script that will be used to generate the password.

    You'll have to make the script yourself (using the HR data you want) obviously, but you should be able to make a password that meets whatever requierments you have using the password policies.

  • 0 4 months ago in reply to jos groenewegen

    Hi there - thanks for this. 

    We are using v8.2 at the moment. Thanks for the info that's helpful.

    As a side note - how would you communicate that to the user. We want it to be as secure as possible ie no sharing of credentials via email or instant message etc etc.

  • +1 4 months ago in reply to sam cogan

    In our case, every new identity must provide a notification endpoint, either a phone number or email (later they can access their profile and maybe set a telegram username, too)

    Once the identity has been created, we only send the login name to those endpoints. The new employee can go to our password recovery portal, enter the login name  and request a pin code to their phone/mail (or telegram), then reset the password with that pin.

  • 0 4 months ago in reply to sam cogan

    Similar to what Juan is saying, distributing (initial) passwords is always tricky. It's good to make sure everyone in your organization is aware it is not primarily a technical problem, but an 'identification' problem. You can google and find a million results on 'How to verify an identity' and you'll see there is no easy answer ;).

    When it's just initial passwords that need to be changed immediately there are plenty of organizations which are happy with an (external) phone number or email address registered by HR to share the initial credentials.

    Alternatives are going into the office to 'retrieve' it (initially), a verification process (either automatically or with a person) using an ID after which an initial password is provided (like some banks do). Having a manager hand it out on the first day...

    To be able to answer how I would communicate it to the user it really depends on what level of verification / trust you want in the Identity (and as such what kind of an organization you are).

    But... The most common practice is still sending the initial password to an external mail address and forcing a change at first login

  • 0 28 days ago in reply to juancarlos camargo

    Juancarlos thank you for this. It's interesting.

    Just a follow up to:
    Once the identity has been created, we only send the login name to those endpoints. The new employee can go to our password recovery portal, enter the login name  and request a pin code to their phone/mail (or telegram), then reset the password with that pin.

    Is this the oneidentity password recovery portal and does anyone from the IT department etc know the password, other than the user once it is created?