How to Enable Self-Service Password Reset (SSPR) in Office 365?

Jim went on a one-week vacation. Upon returning to work, he could not log in to his account because he forgot his password. He tried several times to enter what password he remembered until his account became disabled.

What does Jim do? Call the helpdesk, wait in the queue, verify his identity, wait for his password to be reset, and his account unlocked. I don’t know about you, but that seems to be a lot of waiting for a ridiculously simple request.

What if Office 365 users can reset their password on their own? Yes, they can! When you enable self service password reset and configure password writeback, your users don’t have to call in for password reset and account unlock anymore.

Planning the Azure Active Directory Self Service Password Reset

The SSPR setup is relatively straightforward. But even so, you still need to understand the high-level implementation process.

ADVERTISEMENT

Licensing Requirements

Depending on the license and subscription of your tenant, the applicable SSPR setup varies. Below is the list of SSPR features and their required licenses.

SSP FeatureDescriptionRequired Licenses
Cloud-only password changeThe user can only change the password, not reset it. The old password must be known to perform a password change.Azure AD Free, Microsoft 365 Business Standard, Microsoft 365 Business Premium, Azure AD Premium P1 or P2
Cloud-only password resetThe user can reset the password without providing the old one.Microsoft 365 Business Standard, Microsoft 365 Business Premium, Azure AD Premium P1 or P2
Hybrid user password change (w/ on-prem password writeback)Synchronized users can reset their passwords online, and the new password synchronizes back to the on-premises AD.Microsoft 365 Business Premium, Azure AD Premium P1 or P2

SSPR Setup Modes

There are three modes of SSPR which determines the scope of users who will be affected.

SSPR ModeScope
NoneIn this state, SSPR is disabled for your tenant.
SelectedThis state requires you to specify the group whose members will be targeted by the SSPR. You can only select one group as the target, but the group can be nested.

Choosing this mode is ideal for staged / batch implementation. | | All | This SSPR mode enables Azure Active Directory password reset for all the users in your tenant. |

Enable Self Service Password Reset Office 365

After carefully planning the SSPR setup, let’s now start the implementation.

  1. First, log in to the Azure AD portal.
  2. Go to the Azure Active Directory Password Reset blade.
    enable self service password reset
  3. On the Properties page, you may choose Selected and select a specific security group. But in this example, let’s choose All option to enable SSPR for all users. Click Save to save the SSPR setup.
    enable self service password reset office 365
  4. In the end, you’ll see the following confirmation, confirming the password reset policy is saved.
    enable sspr

Configure Authentication Methods

As a security measure, users must successfully authenticate with Azure AD when resetting their passwords.

  1. Click Authentication methods.
  2. Next, choose the Number of methods required to reset a password. This means when a user attempts to reset a password; the user must pass 1 or 2 authentication methods. The default is 1, and we’ll leave it as it is.
  3. Select the authentication Methods available to users. The default methods are Email and Mobile phone (SMS only).
    Note. Mobile app notification is only available as a second authentication method.
    In this example, let’s choose Mobile app code, Email, and Mobile phone (SMS only). Lastly, click Save.
    enable sspr office 365

Configure SSPR Registration

Next, let’s configure the SSPR registration options.

  1. Click Registration and choose whether to require users to register their SSPR information. The default selection is Yes, which means that after you enable SSPR, the users will be required to register their authentication methods when they log in.
  2. The Number of days before users are asked to re-confirm their authentication information value specifies the cadence when they must re-confirm their SSPR authentication methods. The default is 180 days. You may choose to adjust this value or leave it.
    office 365 enable self service password reset

Enable SSPR Notifications

On the Notifications page, choose whether users get email notifications when their password is reset. The default option is Yes.

Choose whether to notify admins about other admins resetting their own passwords. The default option is No.

setup self service password reset

Customize Helpdesk Contact

On the Customization page, you can customize the Helpdesk contact information that users will see in the SSPR.

Click Yes and enter the helpdesk email or webpage URL and click Save.

ADVERTISEMENT

setup self service password reset office 365

If your organization is cloud-only, you can stop here, and the implementation part is complete. But if you have an on-premises Active Directory, proceed to the next section to configure password writeback.

Enable Password Writeback Azure AD Connect

Note. This section requires that Azure AD Connect is already installed and configured in your on-premises AD and Azure AD. If you haven’t done so, visit How to Install Azure AD Connect and Configure It.

  1. Log in to the Azure AD Connect server and launch the Azure AD Connect application.
  2. Click Configure.
    Note that the synchronization is suspended while the Azure AD Connect application is open.
    configure self service password reset office 365
  3. Next, click Customize synchronization options and Next.
    self service password reset enabled
  4. Enter your Azure AD global admin account username and password and click Next.
    sspr enabled
  5. Once on the Optional Features step, check the Password writeback and click Next.
    disable self service password reset
  6. On the last page, click Configure.
    office 365 disable self service password reset
  7. After the configuration is complete, click Exit.
    o365 enable self service password reset
  8. Go back to the Azure AD portal → Password ResetOn-premises integration. From here, you can confirm that password writeback is enabled for synced users.
    setup sspr office 365

Register User SSPR Information

  1. The users can set up their SSPR information by logging in to their Office 365 accounts at https://mysignins.microsoft.com/security-info. Once signed in, click the Add sign-in method button.
    office 365 enable self password reset
  2. Select the preferred authentication method and click Add. In this example, the user chooses the Authenticator app option.
    office 365 setup self service password reset
  3. Follow the prompts to complete the registration.
    enable self service password reset o365
  4. Click Next to start setting up your account.
    enable self service password reset o365
  5. Open the authenticator application on the user’s mobile, scan the QR code, and click Next.
    o365 enable sspr
  6. The authenticator notification appears on user’s mobile phone, asking to approve the sign-in. Click Approve.
    microsoft 365 enable sspr
  7. Once approved, click Next.
    configure sspr ms office 365
  8. The user sees the authentication method registration status next. Click Done.
    setup self service password reset ms office 365

Test the Azure Active Directory Self Service Password Reset

Now that the user’s security info is updated let’s test the password reset feature.

  1. Open a browser and navigate to https://passwordreset.microsoftonline.com/.
  2. Enter the user’s email address and the captcha characters, and click Next.
    setup self service password reset ms office 365
  3. Enter the verification information based on the authentication method on the account and click Next. In this example, the authentication method is the authentication app code.
    disable self service password reset ms office 365
  4. Next, specify the new password and click Finish.
    enable self service password reset ms office 365
  5. The user’s password has been reset, and they can now log in to the account.
    enable sspr ms office 365

Conclusion

You can significantly improve the user experience when you enable self service password reset in your organization. Users can reset their own passwords as long as your organization has the license that allows this feature.

Moreover, users may not need to connect to the corporate network (direct, VPN, etc.) to reset their passwords in the Active Directory. Instead, they can perform the password reset in their Office 365 accounts, and the password will sync back to Active Directory.

I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.