Hi folks,
I’m trying to implement a feature I can’t find native to the Epicor client – user managed password recovery – or more specifically a way to allow a user to request a password reset.
My intent is to add a feature on our Intranet that would allow a user to have a new temp password emailed to them – done via the REST API.
Has anyone done this before or know what endpoint I would use for this?
Thanks!
Many utilize Azure AD to get this capability out of the box - especially cloud users. There are far more security controls at your disposal over passwords in ERP like multi-factor authentication, location-based rules, and device health metrics. Phishing is more difficult with modern token authentication over the single factor password.
I also find the users prefer to have one less password to remember. 
That would be great… if it was executed well.
Having to go around 100 desktops and change Epicor client XML config files every time there was a cloud update was a deal breaker.
Unless they figure out a better solution that’s not an option.
I think the cloud team would help with this one. When you enable Azure AD (maybe IdP as well), the config file will be updated and pushed to your clients.
Of course, browser will eliminate this too…
100% … Really looking forward to the browser implement getting fully fleshed out
We went down a path in this thread that is divergent from the OP.
So that question still remains if anyone has insight there, that’d be helpful. 
Thinking out loud, if I were to do it, is I would trace the call. The next problem is that every user will not have access to Ice.BO.UserFileSvc as it should be limited to Security Managers. So I imagine a service on your Intranet that does the call on behalf of the user but in the security context of an integration account with access to that method (Ice.BO.UserFile.ResetPassword).
There could be shenanigans allowing people to reset other user’s passwords though unless you checked their login ID and matched it with one in the UserFile.
Is that really a thing? When I was talking to the Epicor implementor/support person about setting this up in testing initially (last year), that option was not available. It was communicated that this was the current state of things that’s a downside that comes with SSO Maybe that’s an option now… as of?
We were a beta tester for AAD on 10.2.400(?) and they said that when we pulled the trigger they would update the Azure information and the binding entry. That’s changed a little in 2022 with the removal of NET.tcp but not sure why they stopped doing that. They need to enable AAD in your app server too. 
Separately, our IT guy can push a .config in group policy to do a mass update. Might be another option for you.
