Tips & Tricks: Pre-Installing Office365 ProPlus & Forcing Password Resets

Pre-Installing Office365 ProPlus

In my job I spend time in developing markets where the internet connection is not guaranteed to be fast or even available at all times. Therefore, being able to deploy larger applications to Windows 10 devices via provisioning packages is a useful technique to reduce the bandwidth requirements down to being a simple AzureAD join request and authentication.

One tool that can assist with this is the Set Up School PC App, available for free in the Microsoft Store and this allows you to easily configure a Windows 10 device with settings and apps as well as joining the device to AzureAD during the setup. One of the most common applications required on education devices is the Office365 Pro Plus suite which usually requires a reasonably fast internet connection to download and install.

However, with an update to the Set Up School PC App last month,  this can now be packaged up into the provisioning package and deployed directly onto the device:


Previously, a Windows 10S version of Office was available via the Set Up School PC App however this update will be useful for all versions of Windows 10.

Forcing Password Resets:

Many schools are still running a hybrid identity platform, meaning they have an on premise Active Directory that is connected to their cloud identity in Azure Active Directory using AzureAD Connect:

Microsoft’s identity solutions span on-premises and cloud-based capabilities. These solutions create a common user identity for authentication and authorization to all resources, regardless of location. We call this hybrid identity.

In some situations, users end up primarily signing into cloud apps e.g. the Office365 Portal and rarely authenticate directly against the on premise Active Directory. Nevertheless, organisations will still want users authenticating against AzureAD to be forced to change their password on the first login.

With a hat tip to Stefan van der Busse who pointed this one out to me, I note there is now a public preview of a service to force password resets in AzureAD on next login.

It is typical to force a user to change their password during their first logon, especially after an admin password reset occurs. It is commonly known as setting a “temporary” password and is completed by checking the “User must change password at next logon” flag on a user object in Active Directory (AD).

The temporary password functionality helps to ensure that the transfer of ownership of the credential is completed on first use, to minimize the duration of time in which more than one individual has knowledge of that credential.

Think of the beginning of the school year / semester when students are first issued a password to access the school environment. That password may have been shared via a printed onboarding document, an email or even verbally shared with the student. In other words, someone else knows the password. Being able to force that reset on the first login, irrespective of whether the student authenticates against an on premise Active Directory, or against the cloud Azure Active Directory, is a good step towards ensuring better password security.

This is also very helpful in scenarios where students bring a BYOD device that is not domain joined – it will allow them to sign into the Office365 Portal and reset their password.

I am always keen to discuss what I've written and hear your ideas so leave a reply here...

%d bloggers like this: