Self-Service Password Reset at Scale
The problem
Password resets are the classic MSP time sink: high volume, low complexity, and every minute an engineer spends on one is a minute not spent on real work. Across a large managed client base, resets meant a help desk call, an identity verification dance, and a manual reset in the right tenant. Multiply by every client, every week.
The approach
Build once, deploy everywhere: a single automation workflow that verifies the requester, resets the credential through Microsoft Graph, and documents the action in the ticketing system, with per-organization configuration handling the differences between clients.
The hard part was not the reset itself. It was the readiness matrix: before any organization could go live, its RMM mapping, tenant consent, and ticketing linkage all had to be verified. A board tracked every organization as READY, EXCLUDED, or NOT READY, and nothing shipped to a client that had not passed every gate.
Build notes
- Workflow platform: Rewst, with per-organization variables controlling behavior per client
- Identity: Microsoft Graph handles the credential operations in each client tenant
- Ticketing: every reset writes back to the service ticket for a full audit trail
- Validation: end-to-end tested against live infrastructure before any client rollout
- Built incrementally with per-step verification, because a workflow platform that silently swallows a failed step will happily build wreckage on top of it
Outcome
Validated end to end across the full organization board: every organization dispositioned as ready or documented as excluded, none left in an unknown state. Resets that took a call and a queue wait now complete in minutes without an engineer touching them.
Lessons
- The automation is 20% of the work. Per-client readiness verification is the other 80%.
- Never trust a green checkmark you did not verify against the platform's actual state.
- An explicit EXCLUDED state beats a silent skip. Every organization needs a disposition.