Microsoft Entra ID (Azure Active Directory) allows companies to configure self-service password reset (SSPR) functionality for users. This AZ-104 self-service password reset guide will provide a comprehensive overview of SSPR in Microsoft Entra ID, and how it is configured and managed.

What does Self-service password reset allow you to do?

In the world of the hybrid workforce, self-service password reset allows users to triage issues with their passwords in a self-service way. Self-Service Password Reset (SSPR) is a feature that empowers users to reset their password without IT intervention.

Protect Your Data with BDRSuite

Cost-Effective Backup Solution for VMs, Servers, Endpoints, Cloud VMs & SaaS applications. Supports On-Premise, Remote, Hybrid and Cloud Backup, including Disaster Recovery, Ransomware Defense & more!

This capability reduces the number of help desk calls related to password change and password reset issues for user accounts, saving time and resources. With Microsoft Entra ID’s self-service capabilities, this capability can be enabled fairly easily and helps with:

  • Reset password processes
  • Password changes
  • Unlocking an account

What about Administrator accounts?

In case you are wondering, self-service password reset functionality only applies to end users in your organization. Administrator accounts are enabled for self-service password reset by default. An admin user account must also use two authentication methods in order to successfully reset their password.

Licensing requirements

Keep in mind there are licensing requirements when it comes to self-service password reset. The following plans support self-service password reset:

Download Banner
  • Microsoft 365 Business Standard
  • Microsoft 365 Business Premium
  • Microsoft Entra ID P1 or P2

Microsft Entra ID Free only supports clone-only user password change when a user in Microsoft Entra ID knows their password and wants to change it to something new. So keep this in mind. You will need to have a paid subscription or a trial license enabled.

Authentication Methods

Microsoft Entra ID supports a variety of authentication methods to serve as the means to validate a user’s identity for password reset purposes.

These include the following:

  • Mobile app notification
  • Mobile app code
  • Email
  • Mobile phone
  • Office phone
  • Security questions

Organizations must decide which combination of authentication methods they want to use and that align with their security policies.

How to Enable SSPR in Microsoft Entra ID

To enable the self-service password reset in Microsoft Entra ID, you need to have global administrator privileges.

Login to your Microsoft Azure portal. Navigate to Microsoft Entra ID.

Microsoft Entra Self Service Password

Under Manage select Password reset.

Microsoft Entra Self Service Password

After you click the Password reset link, you will be taken to the Properties page of Password reset. By default, you will see that None is selected for the self-service password reset enabled toggle.

You will notice there are a couple of options in addition to None:

Selected – restrict SSPR to a limited group of users
All – Everyone will have access to SSPR functionality

Microsoft Entra Self Service Password

Make your selection and click the Save button:

Microsoft Entra Self Service Password

Once logged into the Microsoft Entra admin center, navigate to the “authentication methods page” under the “password reset” section. Here, you can select the authentication methods users require to reset their passwords. This is where the self-service password reset enabled option can be toggled on.

Microsoft Entra Self Service Password

Testing the SSPR functionality

With SSPR configured, you can test the feature. Use a test user from a group you selected or any non-administrator user if you selected All to be able to use SSPR.

Note:

Always test the self-service password reset with a non-administrator account. Microsoft Entra ID, by default, has SSPR enabled for admin accounts. Admins must use two authentication methods to reset their password. For a deeper understanding, refer to the Administrator reset policy differences section.

  1. Launch a new browser window in InPrivate or incognito mode to manually register and navigate to https://aka.ms/ssprsetup. Microsoft Entra ID will guide users to this registration portal during their subsequent logins
  2. Log in using a non-admin test account and enter your authentication methods and contact details as prompted
  3. After completing the registration, click on the button labeled “Looks good” and then close your browser
  4. Now, initiate a new browser session in InPrivate or incognito mode and head over to https://aka.ms/sspr
  5. Input the details of your non-admin test user fill in the CAPTCHA, and click “Next”

    6. Microsoft Entra Self Service Password

  6. Provide the necessary user details to proceed with the password reset
  7. Adhere to the verification procedures to change your password. Once done, you’ll get an email confirming the password reset

Monitoring SSPR Activities

Azure AD provides detailed reports that allow administrators to monitor password resets. This ensures that the self-service password reset process is used appropriately and helps identify potential issues. For instance, if a user’s account fails to reset passwords multiple times, it might indicate a need for training or that an attacker is possibly trying to compromise an account.

Under the Activity section of the Password reset dashboard, you will see Audit logs and Usage & insights. Both of these are helpful to monitor SSPR activities.

Microsoft Entra Self Service Password

Troubleshooting and Best Practices

A few issues may come up when users take advantage of the SSPR functionality in Microsoft Entra ID. They might not receive email notifications or forget answers to their security questions. Do the following:

  • Be familiar with common issues and their solutions
  • Regularly update password policies and encourage users to register for SSPR

User Roles and SSPR

Organizations will likely want to configure SSPR differently for different user roles, such as administrator accounts vs non-administrator users, so these will have different configurations. For instance, a global administrator might need to provide additional authentication information compared to a cloud user. Configuring SSPR settings for each user role is essential for security and usability.

Wrapping up

Self-service password reset is an important feature for Azure admins to understand and implement effective password management strategies. As you prepare for the AZ-104 exam, make sure you understand SSPR, its configurations, and best practices, not only for the exam but also in real-world scenarios.

Read More:

Microsoft Azure Administrator: AZ-104: Manage Licenses in Microsoft Entra ID – Part 6

Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.

Rate this post