Håvard Siegel Haukeberg

Paste life: Ctrl+C -> Ctrl+V


Enterprise Mobility Suite

End-user signup for Azure Self Service Password Reset

If you want to enable a user for Self Service Password Reset the user need to navigate to one of these endpoints and register his/her phone as a second factor.


  1. This endpoint verifies your phone and enrolls the user in SSPR:
    It does not change your password!
  2. This endpoint resets your password and enrolls the user if his or her phone number is already stored on the user. (which points here:


Here is a screen dump of what the user will have to do:

Standard Login
You get routed to or enrollment service
asks to verify your phone (if it is already there) if not you have to enter your phone number
If your phone is not registered in azure AD you see this


Call goes fastest


In Azure AD you select how many factors your users need to setup. I have selected 1
This is where you end up

Azure MFA enrollment experience

If you want to enroll for Azure MFA the users need to go through these steps. When you enforce or enable MFA the user will be prompted for MFA enrollment. This is best done in a browser.

First the user need to access any of our endpoint e.g.

Office 365 custom logo login


mfa prompt
Office 365 MFA enabled


input mfa method
Office 365 MFA input phone number


contact options
Office 365 mfa methods



You will get a text message with a code to enter


code on phone


Office 365 app password during enrollment
Use this app-password on your native iOS or Android device or old Outlook 2010 instead of your normal password.



Additional Office 365 MFA options
Press cancel if you feel done. or just navigate to the indended site. e.g.


Extended Office 365 MFA options
all your MFA options


Azure AD access panel for MFA
The user access panel

Here are all of the pictures in a Sway:

What Azure Rights Management Tells You!

A colleague of mine, Ilya  sendt out a Azure RMS protected document. Here is what it looks like for a user of Azure RMS when sharing documents.

Observe the insight and control you have over the information, and at a moments notice you can withdraw access to the document.

The Yellow lines are the last names which have been removed for privacy.

Summary page
Summary page
Global Map View
Wherein the world
Zoomed view USA
Zoomed in on USA
List view
Just a list of everyone
When did they open it?


Notification settings
Get notified once someone opens the document

Removing user access to Azure RMS documents


You share a Azure RMS protected document with one user If you now remove that user and add

-> What happens?


Each share on the file creates a new instance in Azure RMS, hence if you want to remove user access you need to revoke access to the document completly.

Note: once you revoke access to a document, all the users will loose access.

Hence if the user quits and you revoke access to a document which also has access to then both loose access.

version protection
Observe the individual shared versions of the file


Workaround would be to always share a document with as few as possible each time.

Extending an Intune, EMS or Office 365 Trial

Need more time to decide?

Thats okay, if your trial is about to run out simply:

  1. Log on to  as an Administrator
  2. Navigate to: Billing->Subscriptions
  3. Find the trial you want to extend and click it
  4. Click Extend and enter a credit card. (It will not be charged)
  5. Click Submit

That’s it, 30 more days


ems licenses extend trial


Azure Active Directory and Roaming Profiles

In Windows 10 you can join a machine to Azure AD instead of a local domain.


When you join Azure AD your account is given administrator privileges automatically. If you switch users by Ctrl+Alt+Del and Switch user, that user is set as a Standard user.


If you do not know who will use the computer, only the first user will be administrator, the rest will be standard users and can not install programs.


This action is default and can not be changed. Simply giving machines out to students will result in the first users becoming administrators. If you boot all machines before deployment and log in with your user, that user will be blocked after about 20 devices.



How to fix this? Take a look at this post:



Blog at

Up ↑

%d bloggers like this: