Is this scenario possible?
If that's not possible, what about this?
The problem we're trying to solve is because not everyone does the self-registration, they're not able to use password manager when they need it the most. They end up going to our help desk for a passcode, then they can register, and then they can reset their password.
If we can have it so that PM is using already available information to authenticate, then we can cut out the voluntary self-registration and the help desk call.
Thanks for your time!
I would raise concern on the suggested scenario: security. PM is not primary Authentication master, but to serve as a secondary secure "back-door" for temp authentication (exposed to internet) to do very narrow tasks (reset password, unlock) and *deny* the rest. (a) AD (primary Authentication master) stored user password in secure one-way encryption in DC private highly protected Windows OS area. (b) PM stored Q/A in one-way encrypted way in regular AD Attribute (no protected as high as (a), same issue as SIDHistory during migration). Therefore all activity via PM is subject of higher on-going monitoring (audit/report/alert/notification). And the changes allowed are very limited (password change, unlock) Your scenario: is to store *unencrypted* password in AD unprotected attribute - is similar to the one "write password on piece on paper attached to the computer screen".