When you enable Azure AD self-service password reset (SSPR), you allow users to unlock their account or reset passwords. In this article, I will show you how to enable the self service password reset in Azure AD.
Without administrator and helpdesk involvement, you can give users the ability to change or reset their password by enabling Azure Active Directory (Azure AD) self-service password reset.
Usually, when a user account gets locked or when user forgets the password, the helpdesk team is first contacted. How about allowing users
Usually, when a user account gets locked or when user forgets the password, the helpdesk team is first contacted. How about allowing users to unblock their accounts and get back to work.
The self service Azure AD password reset is also referred as SSPR. Reminds me of SSRS, SQL Server Reporting Services.
Account Lockouts and Password Resets – Common IT Issues
One common issue that I have seen in most organizations is account lockouts. In my initial days of my job, I have dealt with more tickets on account lockouts and password resets.
What’s frustrating is when the user’s account is locked, the user cannot log a new ticket. And when there is a password change requested, the users want to repeat their old password, which isn’t allowed.
The account lockouts happen when the user types the wrong password and after 3 attempts, the user simply walks to helpdesk team and reports this issue. More lockouts, more busy will be the day for helpdesk team.
With the self service password reset feature in Azure AD, when a user’s account is locked, or they forget their password, they can follow prompts to unblock themselves and get back to work.
This ability reduces help desk calls and loss of productivity when a user can’t sign in to their device or an application.
Azure AD Self-Service Password Reset Prerequisites
Before you use the self-service password reset in Azure, following are the prerequisites.
- A working Azure AD tenant with at least an Azure AD-free or trial license enabled.
- In the Free tier, self service password reset only works for cloud users in Azure AD.
- Password change is supported in the Free tier, but password reset is not.
- You’ll need an Azure AD Premium P1 or trial license for on-premises password writeback.
- By default, Azure AD enables self-service password reset for admins.
- You need an account with Global Administrator privileges to enable SSPR.
- To test the self service password reset, you would require a non-administrator user with a password.
- You can only enable one Azure AD group for self-service password reset using the Azure portal.
Enable Self-Service Password Reset in Azure AD
Let’s look at the steps to enable the self-service password reset for users in Azure AD. Sign in to the Azure portal using an account with global administrator permissions.
In the Azure portal, search for and select Azure Active Directory, then select Password reset from the menu on the left side.
From the Properties page, under the option Self service password reset enabled, you find 3 options.
- None
- Selected
- All
The setting designates whether users in this directory can reset their password. Choose “Selected” to restrict password reset to a limited group of users.
Select the option Selected. If you have chosen this option, you must select the user groups who get permissions to self reset their passwords.
Under Select group, ensure you add the test users group and test if the password reset works fine.
In the notifications, look for Password reset policy saved. This confirms you have enabled the self service password reset for users in Azure AD.
Select authentication methods in Azure AD
In this section, I will cover about the authentication methods available in Azure AD for users.
When users need to unlock their account or reset their password, they’re prompted for another confirmation method.
You can choose which authentication methods to allow, based on the registration information the user provides.
On the Password Reset window, select Authentication methods page, set the Number of methods required to reset to 1. You can also select 2 methods if you want to make it more secure.
Choose the authentication methods available to users that your organization wants to allow. The following options are available.
- Mobile app notification
- Mobile app code
- Mobile phone
- Office phone
- Security questions
To apply the authentication methods, select Save.
User Registration Options in Azure AD
Before users can unlock their account or reset a password, they must register their contact information.
Azure AD uses this contact information for the different authentication methods set up in the previous steps.
An Azure administrator can manually provide this contact information, or users can go to a registration portal to provide the information themselves.
You can set up Azure AD to prompt the users for registration the next time they sign in.
On the Password Reset window, select Registration page, select Yes for Require users to register when signing in.
Set Number of days before users are asked to reconfirm their authentication information to 180.
The contact information must be up-to-date. The user may not be able to unlock their account or reset their password if the contact information is outdated.
To apply the registration settings, select Save.
Test self-service password reset
Finally, to test the self-service password reset feature, open the browser and visit the URL https://aka.ms/ssprsetup. You must enter the Email or username and enter the captcha. Click Next.
Follow the verification steps to reset your password. When finished, you’ll receive an email notification that your password was reset.
