Self-Service Password Reset

Cut the #1 helpdesk ticket in half — without losing control of identity

Let students reset their own passwords from a branded portal you control, with identity verified through the recovery email or phone already on file in your directory. Routed through the same provisioner pipeline you trust for every other AD action.

Request Demo Talk to sales

The Problem

Password resets are the most expensive ticket your team handles

Across higher education, password resets are routinely the single largest category of helpdesk tickets — and they cluster at the worst possible moments: term-start, registration windows, and final exams. Every locked-out student is a missed class, a delayed financial aid form, or a ticket your team handles at 11pm.

Generic SaaS reset tools don't understand how your tenant's directory is actually wired. The result is two parallel reset flows — one for Azure AD users, another for on-prem AD — and a portal that doesn't know which one a given student belongs to. Your team ends up filling the gap manually.

How It Works

Five steps. One pipeline. Full audit.

Every reset runs through the same provisioner that handles your account creates, disables, and group moves — so the audit story stays consistent.

01

Student visits your portal

They land on accounts.onboardconnect.app/<your-slug>, branded for your institution.

02

They enter an identifier

Institutional email or student ID — whichever you choose to accept.

03

OnboardConnect resolves the user

Looked up in the connection you designated — Azure AD or on-prem AD via OnboardConnect Agent.

04

One-time code is sent

Delivered to the recovery email or SMS already on file — through your own SMTP and Twilio accounts.

05

New password is dispatched

Validated against your tenant's password policy, then executed through the standard provisioner pipeline.

Every step is captured in a dedicated Reset Log with masked PII, attempt count, IP / country, and the resolved AD command id.

Why OnboardConnect

Built for the way your directory is actually wired

The differentiators that matter when you're the IT director who has to sign off.

Admin-defined routing

You pick which connection executes the reset, by priority. Hybrid Azure AD + on-prem topology? No guessing — the admin decides which directory is authoritative for self-service.

Bring-your-own messaging

Point email at your own SMTP-via-HTTP provider (Mailgun, SendGrid, Resend) and SMS at your own Twilio account. End-users see your domain on the from-line, not ours.

Master kill switch + group exclusions

Disabled by default for every new tenant. Privileged accounts — Domain Admins, IT Staff, anyone in groups you specify — are never offered a self-service flow.

Full audit + pattern alerts

Every attempt logged with the resolved user, masked recovery channel, attempt count, IP / country, and resulting AD command id. Three built-in alerts: repeat resets, failed-verify spikes, and reset-then-privilege-change.

Security & Compliance

Built to pass an IT security review

The controls your security and compliance teams will ask about — already in place.

FERPA-aware retention

Reset log defaults to 1-year retention. Tenant-configurable up to 7 years.

Turnstile-protected entry

Every public entry point is gated by Cloudflare Turnstile — bot-resistant out of the box, no CAPTCHA fatigue.

Rate-limited at the edge

Per-identifier, per-IP, and per-tenant rate limits prevent enumeration and brute-force against the verify step.

Masked PII in logs

Recovery channels are masked in the Reset Log — admins see j***@example.edu and +1•••••••42, never the raw value.

What's in v1

What this is — and what it isn't

We'd rather you know the boundaries up front than discover them in a sales call. Here's exactly what ships in the first release.

Scope of v1

  • Password resets only

    Not an MFA-management portal. Students can reset their password, not enroll or rotate MFA factors.

  • No username recovery yet

    Forgot-username flow is planned, not shipped. Today, students must know their institutional email or student ID.

  • Hybrid AD requires an admin choice

    If you run cloud-only Azure AD without writeback and on-prem AD is authoritative for student accounts, the admin must designate which connection executes resets. We don't guess.

Get Started

Take password resets off your team's plate

We'll walk through your directory topology, show you the admin-routing screen, and have a branded portal pointed at your tenant in under a week.

Request Demo Talk to sales

Included on Growth tier and above. Available as an add-on for Sandbox / trial tenants.