Howto configure Password Change in ADFS

Users are always allowed or forced to change their passwords, either by a phone call to servicedesk or from their domain joined computer when at the Office. By enabling this feature in ADFS, you make self-service password change more available for your end-users. Possible reducing the incoming calls to Servicedesk.

Password change is protected by requiring the user to remember its existing password, so the feature isn’t very exciting for blackhat hackers, as then they already have the password.

The feature came available in ADFS 3.0 (Windows Server 2012 R2), but it was limited to devices that where workplace joined. A feature that was ment for bring your own device (BYOD), but not many started using it. BYOD was rather controlled by the Mobile Device Management (MDM).

Microsoft had a lot of feedback claiming the feature would be better without limitation to workplace joined devices, so ADFS 4.0 (Windows Server 2016) came with the Password Change Portal (PCP) without this limitation. And we received a hotfix (KB3035025) that would open the PCP limitations for ADFS 3.0 too. This hotfix was later superseded, so if your system is up to date, it already has the hotfix installed within a different update. When trying to install the hotfix it fails with the error ‘Not applicable for your computer’.

Step 1 – enable the Password Change Portal.

Open your AD FS Management tool, on the primary server if your using Windows Internal Database (WID), and navigate to the EndPoints under Services\Endpoints. At the bottom you will see the /ADFS/portal/updatepassword/ endpoint, right click it and choose enable. Right click again and choose enable on proxy. Enabling on proxy only works if your using the Web Application Proxy feature in Windows Server 2012 R2/2016


Step 2 – test the Password Change Portal.

Navigate to https://adfs-domain/adfs/portal/updatepassword and it should look something like this:


Step 3 – Enable password expiry notification

According to your Active Directory Password Policy, it stores time and days left until the password expires on each user object. This information could be included in the issuing claim rules for each relying party. Making the relying party able to read the claim and develop a notification in their application. It will also find the endpoint url if we add it to the claim.

c1:[Type == ""]
=> issue(store = "_PasswordExpiryStore", types = ("", "", ""), query = "{0};", param = c1.Value);

Step 4 – Additional options

Changes to the Password Change Portal can be done by creating a new custom theme, and it examples is customizing the Cancel buttons redirect URL, or adding a text on the FrontPage of ADFS for users to navigate to the Change Password Portal before their password has expired.

More detailed information is already explained in this blog article:

Leave a Reply


I am Roy Apalnes, a Microsoft Cloud Evangelist working av Sopra Steria. Main focus in Microsoft Security and Endpoint Management, with a bigger picture in mind.

Featured Posts