Password Management for Core, Pro and IGA Solutions
Password Management for Core, Pro and IGA Solutions
Password Management
This article outlines various use cases for end users, Service Desk Agents, and Identity Governance and Administration (IGA) administrators.
Use cases for Service Desk Agents and IGA administrators are included in solution packages such as M42 Core, M42 Professional, and M42 IGA Starter, Growth, or Enterprise.
The end-user use case—allowing users to reset their own passwords—is offered as an add-on. This feature can either be integrated into your existing M42 solution or provided in a separate environment dedicated to password resets.
Password management encompasses the tools, processes, and policies that organizations use to securely manage user credentials across systems and applications. It is a critical function aimed at controlling and automating how passwords are created, updated, stored, and recovered.
Automating password resets provides numerous benefits. Below is a summary of the key advantages:
- Enhanced security
- Reduces risk of weak or reused passwords by enforcing strong password policies.
- Eliminates human errors and delays that can lead to vulnerabilities.
- Multi-factor authentication (MFA) and identity verification to make sure only the right person is resetting the password.
- Reduced IT Help Desk Costs
- A huge portion of help desk calls (often 30–50%) are just for password resets.
- Automating this frees up IT staff to focus on more strategic tasks—saving both time and money.
- Faster Access Restoration
- Users don’t have to wait for IT—especially useful for remote teams or off-hours access.
- Minimizes downtime, which keeps productivity high.
- Improved User Experience
- A self-service reset option means users can fix their own login issues 24/7.
- Reduces frustration and wait times—especially important in large organizations.
- Stronger Compliance & Audibility
- Every reset attempt is logged, which is great for audit trails and compliance reporting.
- Tracks password changes, reset attempts, and policy violations.
- Helps meet regulations like GDPR, HIPAA, SOX, and others that require strong access controls and traceability.
- Consistent Policy Enforcement
- Ensures that password policies (like expiration, complexity etc.) are applied uniformly across all systems and users.
- Supports Hybrid & Cloud Environments
- Works across on-premise systems (like Active Directory) and cloud apps (like Entra ID), especially important as companies move toward hybrid IT environments.
Password Self-Reset (Add-on)
Password self-reset offers several benefits, especially for users and IT teams. Here is a summary of the use case, detailed description can be found below the picture.
Password Self-Reset (add-on) Use Case Description
The password self-reset process itself remains consistent, but the required authentication method introduces variations in the use cases and impacts the level of user identity verification prior to allowing a password change. The Core, Pro and/or IGA solution supports multiple authentication methods, which can even vary based on user group.
The first step is selecting the authentication method. After that, the self-reset process proceeds as usual.
- Password Self-Reset with Company Login
- Users can change their password after logging in with their existing company credentials. The new password is automatically provisioned to the directory.
- Limitation: If users forget their current credentials, they cannot access the password self-reset service. It requires knowledge of the existing password.
- Security Level: Low
- Supported Authentication Methods:
- AD login (username and password)
- ADFS login (AD SSO)
- Entra SSO
- Local user login (SAML / OpenID)
- Password Self-Reset with One-Time Password (OTP) – Add-On
- Users can initiate a password reset from the M42 login page by selecting "I forgot my password." They provide their email or phone number and receive a message containing a one-time password (OTP). After successful authentication, the user sets a new password, which is then provisioned to the directory.
- Requirement: The user’s phone number or email must exist in the Core/Pro or IGA solution.
- Security Level: Medium
- Supported Authentication Methods:
- One-Time Password, SMS
- One-Time Password, email
- One-Time Password, authenticator application
- Password Self-Reset with Bank ID Authentication (eID)
- Users can initiate a password reset from the M42 login page by selecting "I forgot my password." They are redirected to authenticate using their selected bank’s identification method. After successful authentication, the user is directed to the Core/Pro or IGA solution, where they can define a new password. The password is then automatically provisioned to the directory.
- Requirement: The user's social security number must be available in the Core or Pro solution.
- Security Level: High
- Supported Authentication Methods:
- Swedish Bank ID
- Finnish Trust Network (FTN)
- Suomi.fi (Finland)
- Mobiilivarmenne (Finland)
| Overview | This use case describes how an end-user can change their own password using the password self-reset service in Self-Service. |
| Operators |
End-user Self-Service Core/Pro |
| Prerequisites |
Authentication option is selected and agreed.
In cases where user can change own password outside company's network, the password service needs to be accessible from public network.
Baseline version 2025.1 upwards or configured separately into customers existing Core/Pro solution, which is using connector management (provisioning engine) and secure access component for authentication.
User can be found from the customers directory, and user data has been read to Core/Pro solutions IGA Account data card.
Connector towards the directory has correct privileges to change data into customers directory. |
| Result / outcome | User has successfully changed their own password and can now login with directory credentials. |
| Operating chain |
|
| Problem solving |
|
| Auditing and reporting |
|
| Provisioning |
|
Password Reset for Service Desk Agents
Password reset for Service Desk Agents offers several benefits, especially for IT teams. Here is a summary of the use case, detailed description can be found below the picture.
Password Reset from Ticket (Service Desk Agent)
This use case is for Core/Pro solutions agent users, and it removes the need of accessing the directory in cases where user calls and requests password related activities like password change or unlocks.
| Overview | This use case describes how a Service Desk agent can quickly and easily change a user's password from the ticket created during a phone call, without needing to access the directory. |
| Operators |
End-user Agent Core/Pro |
| Prerequisites |
Baseline version 2025.1 upwards or configured separately into customers existing Core/Pro solution, which is using connector management (provisioning engine) and secure access component for authentication.
User can be found from the customers directory, and user data has been read to Core/Pro solutions IGA Account data card.
Connector towards the directory has correct privileges to change data into customers directory. |
| Result / outcome | After the agent sets a new password for the user, it is automatically provisioned to the directory. The user can then authenticate to company applications and the network, and auditing details are saved. |
| Operating chain |
Scenario:
Steps:
Alternative Action Types:
Finalization:
|
| Problem solving |
Error handling:
|
| Auditing and reporting |
|
Password Reset for IGA Admins
It is not so common that IGA admin would need to change users passwords, but there might me some situations when this is required for exceptional reasoning. Commonly users are allowed to change own password, or they call to Service Desk for assistance.
When IGA admin is required to change user password, same benefits like security, compliance, governance, etc. are applying than when Service Desk Agent changes the password from ticket template (please read benefits from above).
Password Reset for IGA Admins
Accordion Body
| Overview | In this use case are described how IGA admin can quickly and easily change users password from IGA solution, and it is automatically provisioned to the directory. |
| Operators |
End-user IGA admin IGA solution |
| Prerequisites |
Baseline version 2025.1 upwards or configured separately into customers existing Core/Pro solution, which is using connector management (provisioning engine) and secure access component for authentication.
User can be found from the customers directory, and user data has been read to Core/Pro solutions IGA Account data card.
Connector towards the directory has correct privileges to change data into customers directory. |
| Result / outcome | The Admin has set new password for the user, it is automatically changed (provisioned) to the directory, user can authenticate to company applications/network and auditing details are saved. |
| Operating chain |
Alternative Action Types:
Finalization
|
| Problem solving |
|
| Auditing and reporting |
|
Delivery Instructions
Customer Instructions
Defining the password management use cases is straight forward, and it requires both technical and functional information from the customer.
Definition workshop takes around one (1) hours, in cases where password is allowed to be changed towards one (1) directory.
In the definition workshop participants
- Ensures that technical preparations are done and functional preparations are ongoing
- Reviews the use case, and validates that data is up to date (users, mobile phone numbers, email addresses or social security numbers)
- Schedules dates for configuration, testing and production usage start.
Participants:
- Directory/authentication specialist(s)
- M42 solution agent/admin user
Technical preparations:
- Test environment
- Test environment for the M42 solution (including Self-Service, if password self-reset use case)
- Test environment for the directory/directories
- If Active Directory, and no test environment available, also separate test OU in production can be used as test environment. In these cases, it is important that the service accounts are separated, and those have accesses only to correct OU's used for test and production.
- Directory service account:
- One for test and one for production
- Create new service account into the directory or expand rights for the existing one(s)
- Service account need to have rights to change users passwords, unlock passwords, and activate accounts.
- Authentication
- One-Time Password
- All users who are allowed to change their own password from Self-Service need to be found from the M42 solution and they all need to have valid email address or mobile phone number
If any imports, or mass-updates are needed ensure that needed work is included in the delivery scope.
- All users who are allowed to change their own password from Self-Service need to be found from the M42 solution and they all need to have valid email address or mobile phone number
- Bank ID authentication
- All users who are allowed to change their own password from Self-Service need to be found from the M42 solution and they all need to have valid social security number
If any imports, or mass-updates are needed ensure that needed work is included in the delivery scope. - In case of suomi.fi authentication customer needs to have correct permissions from DVV to use the method.
- All users who are allowed to change their own password from Self-Service need to be found from the M42 solution and they all need to have valid social security number
- One-Time Password
Functional preparations:
- Communication towards end-users
- Notice also external users
- Training (videos, guidelines, instructions)
- Governance and auditing requirements
Testing:
- Check chapter: System- and user acceptance testing
Production usage:
- Ensure governance and audit requirements are fulfilled (daily/weekly/monthly/quarterly/yearly reporting) according to company policies
- Review daily that there are no provisioning errors
- If password policy changes, remember to update end-user instructions
- Ensures that users who are no longer allowed to change their password does not have accesses to the service.
- Ensures that mobile phone numbers, email addresses and social security numbers are continuously valid and up to date.
Data Card Flow and Purpose
IGA Account Actions
Is the data card which starts provisioning towards the directories, when IGA admin or Service Desk Agent changes users password or other action type is needed to perform like activate account or unlock account.
| Attribute | Description | Mandatory / optional |
| Status |
Is visible only for saved data cards, and it shows if the request was handled successfully.
|
Mandatory |
| Action type |
|
Mandatory |
| Select user |
List of persons. Automatically fulfilled when the IGA account action data card is generated from the ticket. |
Mandatory |
| Select account | List of users directory accounts | Mandatory |
| New password |
Visible when action type is “change password” Type in new password here, ensure that it matches company's password policy's. |
Mandatory |
| User must change password |
Visible when action type is “change password”
|
Mandatory |
| Password delivered |
Visible when action type is “change password”
|
Optional |
| Re-run provisioning |
Appears if provisioning failed (status closed - provisioning failed)
|
Optional |
| Workflow name | Technical field, shows which workflow was used during the action | Technical |
| Last workflow action | Technical field, shows last action of the workflow, like for example if provisioning was successful | Technical |
| Workflow history | Shows workflow steps | |
| Provisioning exception | Shows error message from the connector |
Ticket
Ticket data card can be used for starting password change for the user by using following attributes
- Quick fill - Option: change password from ticket
- Customer - user whose password is going to be changed
- Transform button “change users password” which opens new IGA Account Actions data card, and copies customer information to the data card
IGA Service Request
Provisioning is started from IGA Service Request when password is changed using self-reset service in Self-Service.
Configuration Instructions
Always remember:
- Configure use cases first into test environment
- Follow up correct instructions according the environment type and the M42 solution
- Password self-reset for new environment
- Password self-reset for existing environment
- Password reset for Service Desk Agents for new environment
- Password reset for Service Desk Agents for existing environment
- Password reset for IGA Admins for new environment
- Password reset for IGA Admins for existing environment
- Perform system and user approval testing in the test environment
- Fix all possible findings and perform re-testing
- Move configuration into production environment
- Validate that configuration is correctly moved to the production environment
Configuration instructions for password self-reset to new environment
These instructions applies when password reset is installed to own separate environment, or it is configured to new environment (baseline version 2025.1 or newer).
- Self-Service
- Validate that change my password service is published (if not publish the service)
- Authentication
- Ping your delivery manager for assistance, if you haven't configured the
- Follow up correct authentication instructions according to selected authentication method
- Core, Professional or IGA solution
- Follow correct configuration instructions for the directory, test the connection.
Configuration instructions for password self-reset for existing environment
- Create new One-Click-Demo (OCD) environment
- Self-Service
- Create a new Self-Service site for password reset service
- Import “change my password” service from (OCD) environment to the customer environment
- Check that MyServices and other settings are same in the OCD and customer environment
- Publish the service
- Authentication
- Create new realm to the Secure Access component
- Ensure that users are directed to Self-Service site where you published the password reset service
- Follow correct Secure Access configuration instructions for the authentication method
- Core and Professional solution
- Most likely customer already has connector towards the directory, so move to next step, but if needed create the new connector, follow correct configuration instructions according to the directory
- Create event-based tasks according to the directory
- For Entra ID: Azure IGA Service request: Verify, Add, Remove
- For AD: AD IGA Service request: Verify, Add, Remove
- For OpenLDAP: OpenLDAP IGA Service request: Verify, Add, Remove
- Validate that attributes, settings and mappings are same in the OCD and customer environment
- Validate that IGA Service Request template contains all needed attributes, handlers and listeners
- Verify that IGA Change Password Workflow uses correct event-based tasks you created
- Publish IGA Change Password Workflow
Configuration instructions for Service Desk Agents for new environment
- Follow correct configuration instructions for the directory, test the connection.
Configuration instructions for Service Desk Agents for existing environment
- Create new One-Click-Demo (OCD) environment where you can export/copy configuration to existing enviroment
- Do following configuration changes into ESM (compare to OCD):
- Ticket -template:
- new attribute: Password reset
- new attribute: Change customer password
- edit class: Ticket description
- attribute order numbers edited
- new transform: IGA Account Actions
- edit attribute: Self-Service item
- “Show in view only”
- edit listener: presave.FAIL changing ticket type to Service Order
- new listener: presave.FAIL resolving without resetting password
- edit worflow: Ticket workflow:
- new workflow selection criteria: Status “equal to” 07 - Resolved.
- Quickfill -template:
- edit attribute: Type:
- add value: Service Order
- new attribute: Quickfill for password reset ticket?
- new attribute: Self-service item
- new datacard: Password reset from Ticket
- edit attribute: Type:
- Self-service item -template:
- new datacard: Manual password reset
- new attribute: Allow manually created requests
- IGA Account Actions -template:
- new attribute: Referring ticket
- Permissions:
- Service Desk Agent -role:
- in Organization -module, IGA Account Actions -template: RCU
- in Organization -module, IGA Account Actions -folder: RCU
- Ticket -template, Password reset -attribute:
- Read -permission
- Ticket -template, Self-Service item -attribute:
- all permissions must be allowed
- Service Desk Agent -role:
- Ticket -template:
- Also, do necessary changes according to chapter “Configuration instructions for IGA Admins for existing environment”
Configuration instructions for IGA Admins for new environment
- Follow correct configuration instructions for the directory, test the connections.
- Validate if there is need to modify IGA Account Actions template or Account Management Action Workflow.
- Validate if there is need to modify permissions for "IGA Account actions" folder.
- Validate IGA Account actions related views:
- All account actions by user
- User's requesting most password reset's (yearly)
- Account actions for disabled accounts
- Account actions done out of office hours
Configuration instructions for IGA Admins for existing environment
- Create new One-Click-Demo (OCD) environment.
- Create needed connections. Follow correct configuration instructions for the directory, test the connection.
- Create needed event-based tasks according to the directory
- Azure IGA Admin Actions: Reset, unlock, activate
- AD IGA Admin Actions: Reset, unlock, activate
- OpenLDAP IGA Admin Actions: Reset, unlock, activate
- Copy IGA Account Actions template and Account Management Action Workflow from OCD to existing environment.
- Create "IGA Account actions" folder to Organization module for "IGA Account Actions" datacards.
- Set correct permissions for "IGA Account actions" folder.
- Created needed IGA Account actions related views:
- All account actions by user
- User's requesting most password reset's (yearly)
- Account actions for disabled accounts
- Account actions done out of office hours
- Verify that Account Management Action Workflow uses tasks you created from orchestration nodes.
- Publish Account Management Action Workflow.
System- and User Acceptance Testing
Testing preparations:
- Testing is done in test environment and against test directory (or test OU)
- Create test users to the directory, and ensure that all needed information is in place
- Ensure that end-users, agents and admins have correct accesses to Self-Service and to the M42 solution.
Testing instructions for end-users:
- Login using one of the test users and follow up the use case steps
- After successful password change, login with the new credentials
- Try testing also setting a password which does not match company policies
- Validate that Self-Service has correct info text's, instructions, logo, colours, service names etc.
- Validate password change requests are visible in my request view
Testing instructions for Service Desk Agent and IGA Admin:
- Login to the Core or Professional solution
- Create a new ticket and follow up the use case steps
- Go to connector settings, disable connection to the directory and try re-testing password change
- Change the settings back, and re-test password change
- Test also other action type scenarios
- Validate that reports, views and dashboards are showing correct information
- Login with the test user and validate that password change was successful
Table of Contents