AD FS: Guide to Enabling the Password Change Feature

1. Method: Enabling via AD FS Management Console

Follow these steps to activate the endpoint using the Graphical User Interface (GUI):

Open AD FS Management Console: Launch the AD FS Management application directly or via Server Manager on your server.
Navigate to Endpoints: In the left-hand navigation pane, expand the Service node and click on Endpoints.
Locate the Relevant Endpoint: Find the path /adfs/portal/updatepassword/ in the list.
Enable the Endpoint:
- Right-click on the endpoint and select Enable.
- If access is required from the external network (via WAP), right-click and select Enable on Proxy.
Restart the Service: For the changes to take effect, restart the Active Directory Federation Services (adfssrv) service from the Windows Services console.

2. Alternative Method: Enabling via PowerShell

For a faster and more precise configuration, you can execute the following commands in a PowerShell window launched with administrative privileges:

PowerShell

# Enables the endpoint for both internal and external (Proxy) networks
Enable-AdfsEndpoint -TargetAddressPath "/adfs/portal/updatepassword/"
Set-AdfsEndpoint -TargetAddressPath "/adfs/portal/updatepassword/" -Proxy $true

# Restarts the service to apply changes
Restart-Service adfssrv

Activating the endpoint does not automatically add a link to the sign-in page. To ensure users can see this link under the login button, you must add a description text using the following command:

PowerShell

Set-AdfsGlobalWebContent -SignInPageDescriptionText "<p>To change your password, please <A href='/adfs/portal/updatepassword/'>click here</A>.</p>"

Result: Once this command is applied, a clickable hyperlink will appear below the login button on the sign-in page.

4. Additional Information and Microsoft Recommendations

Version Requirements and Hotfixes

Windows Server 2012 R2: If you are using this version, the KB3035025 update must be installed on all AD FS servers to allow users to change passwords from non-domain joined devices (non-Workplace Join devices).
Server 2016/2019/2022: In these versions, this feature works independently of the device type by default.

Automatic Trigger Scenarios

AD FS will automatically redirect users to this page even if they do not click the link in the following cases:

If the user's password has expired.
If the "User must change password at next logon" option is enabled for the user in Active Directory.

Office 365 Integration

If you are using Office 365, it is recommended to add an "issuance claim rule" on the Azure AD Relying Party Trust so that users receive a warning 14 days before their password expires. This allows users to be redirected to this link directly from within Office applications.

PreviousTips & Tricks NextAD FS: How to Resolve the "No style sheet is configured" Error?

Last updated 1 month ago

hashtag1. Method: Enabling via AD FS Management Console

hashtag2. Alternative Method: Enabling via PowerShell

hashtag3. Making it Visible on the AD FS Sign-in Page

hashtag4. Additional Information and Microsoft Recommendations

hashtagVersion Requirements and Hotfixes

hashtagAutomatic Trigger Scenarios

hashtagOffice 365 Integration