You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/fundamentals/road-to-the-cloud-migrate.md
+10-26Lines changed: 10 additions & 26 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -28,43 +28,27 @@ A typical migration workstream has the following stages:
28
28
29
29
## Users and Groups
30
30
31
-
### Move password self-service
31
+
### Enable password self-service
32
32
33
33
We recommend a [passwordless environment](../authentication/concept-authentication-passwordless.md). Until then, you can migrate password self-service workflows from on-premises systems to Azure AD to simplify your environment. Azure AD [self-service password reset (SSPR)](../authentication/concept-sspr-howitworks.md) gives users the ability to change or reset their password, with no administrator or help desk involvement.
34
34
35
-
To enable self-service capabilities, your authentication methods must be updated to a [level that supported by self-service capabilities](../authentication/tutorial-enable-sspr.md). Once authentication methods are updated, you'll want to enable user self-service password capability for your Azure AD authentication environment.
35
+
To enable self-service capabilities, your authentication methods must be updated to a [level that supported by self-service capabilities](../authentication/tutorial-enable-sspr.md). Once authentication methods are updated, you'll want to enable user self-service password capability for your Azure AD authentication environment. For deployment guidance, see Deployment considerations for Azure Active Directory self-service password reset - Microsoft Entra | Microsoft Docs.
36
36
37
-
### To evaluate and pilot SSPR
38
-
39
-
* Enable [combined registration (multi-factor authentication (MFA) +SSPR)](../authentication/concept-registration-mfa-sspr-combined.md) for a target group of users
40
-
41
-
* Deploy [SSPR](../authentication/tutorial-enable-sspr.md) for a target group of users
42
-
43
-
* For that group of users with Azure AD and Hybrid Azure AD joined devices (Windows devices - 7, 8, 8.1 and 10), enable [Windows password reset](../authentication/howto-sspr-windows.md) for those users.
37
+
**Additional considerations include**:
44
38
45
39
* Deploy [Password Protection](../authentication/howto-password-ban-bad-on-premises-operations.md) in a subset of DCs with *Audit Mode* to gather information about impact of modern policies. For more guidance, see [Enable on-premises Azure Active Directory Password Protection](../authentication/howto-password-ban-bad-on-premises-operations.md).
40
+
* Gradually register and enable Combined registration for [SSPR and Azure AD Multi-Factor Authentication](../authentication/concept-registration-mfa-sspr-combined.md). This enables both MFA and SSPR. For example, roll out by region, subsidiary, department, etc. for all users.
46
41
47
-
### To scale out
48
-
49
-
Gradually register and enable SSPR. For example, roll out by region, subsidiary, department, etc. for all users. This enables both MFA and SSPR. Refer to [Sample SSPR rollout materials](/download/details.aspx?id=56768) to assist with required end-user communications and evangelizing.
50
-
51
-
**Key points:**
52
-
53
-
* Use Azure AD password policies on the domain.
54
-
55
-
* Go through a cycle of password change for all users to flush out weak passwords.
56
-
57
-
* Once the cycle is complete, implement the policy expiration time.
58
-
59
-
* Enable Windows 10 password reset ([Self-service password reset for Windows devices - Azure Active Directory](../authentication/howto-sspr-windows.md)) for all users
42
+
* Go through a cycle of password change for all users to flush out weak passwords.
60
43
61
-
For Windows down-level devices, follow [these instructions](../authentication/howto-sspr-windows.md)
44
+
* Once the cycle is complete, implement the policy expiration time.
62
45
63
-
* Add monitoring information like workbooks, for reset activity ([Self-service password reset reports - Azure Active Directory](../authentication/howto-sspr-reporting.md)) - Authentication Methods Insights and reporting ([Authentication Methods Activity - Azure Active Directory](../authentication/howto-authentication-methods-activity.md))
46
+
* Switch the "Password Protection" configuration in the DCs that have "Audit Mode" set to [Enforced mode](../authentication/howto-password-ban-bad-on-premises-operations.md).
64
47
65
-
* Switch the "Password Protection" configuration in the DCs that have "Audit Mode" set to "Enforced mode" ([Enable on-premises Azure AD Password Protection](../authentication/howto-password-ban-bad-on-premises-operations.md))
66
48
67
-
* For customers with Azure AD Identity Protection, enable [password reset as a control in Conditional Access policies](../identity-protection/howto-identity-protection-configure-risk-policies.md)for risky users (users marked as risky through Identity Protection). [Investigate risk Azure Active Directory Identity Protection](../identity-protection/howto-identity-protection-investigate-risk.md)
49
+
>[!NOTE]
50
+
>* End-user communications and evangelizing are recommended for a smooth deployment. See [Sample SSPR rollout materials](/download/details.aspx?id=56768) to guide you.
51
+
>* For customers with Azure AD Identity Protection, enable [password reset as a control in Conditional Access policies](../identity-protection/howto-identity-protection-configure-risk-policies.md)for risky users (users marked as risky through Identity Protection).
0 commit comments