Jim went on a one-week vacation. Upon returning to work, he could not log in to his account because he forgot his password. He tried several times to enter what password he remembered until his account became disabled.
What does Jim do? Call the helpdesk, wait in the queue, verify his identity, wait for his password to be reset, and his account unlocked. I don’t know about you, but that seems to be a lot of waiting for a ridiculously simple request.
What if Office 365 users can reset their password on their own? Yes, they can! When you enable self service password reset and configure password writeback, your users don’t have to call in for password reset and account unlock anymore.
Planning the Azure Active Directory Self Service Password Reset
The SSPR setup is relatively straightforward. But even so, you still need to understand the high-level implementation process.
Depending on the license and subscription of your tenant, the applicable SSPR setup varies. Below is the list of SSPR features and their required licenses.
|SSP Feature||Description||Required Licenses|
|Cloud-only password change||The user can only change the password, not reset it. The old password must be known to perform a password change.||Azure AD Free, Microsoft 365 Business Standard, Microsoft 365 Business Premium, Azure AD Premium P1 or P2|
|Cloud-only password reset||The user can reset the password without providing the old one.||Microsoft 365 Business Standard, Microsoft 365 Business Premium, Azure AD Premium P1 or P2|
|Hybrid user password change (w/ on-prem password writeback)||Synchronized users can reset their passwords online, and the new password synchronizes back to the on-premises AD.||Microsoft 365 Business Premium, Azure AD Premium P1 or P2|
SSPR Setup Modes
There are three modes of SSPR which determines the scope of users who will be affected.
|None||In this state, SSPR is disabled for your tenant.|
|Selected||This state requires you to specify the group whose members will be targeted by the SSPR. You can only select one group as the target, but the group can be nested.|
Choosing this mode is ideal for staged / batch implementation. | | All | This SSPR mode enables Azure Active Directory password reset for all the users in your tenant. |
Enable Self Service Password Reset Office 365
After carefully planning the SSPR setup, let’s now start the implementation.
- First, log in to the Azure AD portal.
- Go to the Azure Active Directory Password Reset blade.
- On the Properties page, you may choose Selected and select a specific security group. But in this example, let’s choose All option to enable SSPR for all users. Click Save to save the SSPR setup.
- In the end, you’ll see the following confirmation, confirming the password reset policy is saved.
Configure Authentication Methods
As a security measure, users must successfully authenticate with Azure AD when resetting their passwords.
- Click Authentication methods.
- Next, choose the Number of methods required to reset a password. This means when a user attempts to reset a password; the user must pass 1 or 2 authentication methods. The default is 1, and we’ll leave it as it is.
- Select the authentication Methods available to users. The default methods are Email and Mobile phone (SMS only).
Note. Mobile app notification is only available as a second authentication method.
In this example, let’s choose Mobile app code, Email, and Mobile phone (SMS only). Lastly, click Save.
Configure SSPR Registration
Next, let’s configure the SSPR registration options.
- Click Registration and choose whether to require users to register their SSPR information. The default selection is Yes, which means that after you enable SSPR, the users will be required to register their authentication methods when they log in.
- The Number of days before users are asked to re-confirm their authentication information value specifies the cadence when they must re-confirm their SSPR authentication methods. The default is 180 days. You may choose to adjust this value or leave it.
Enable SSPR Notifications
On the Notifications page, choose whether users get email notifications when their password is reset. The default option is Yes.
Choose whether to notify admins about other admins resetting their own passwords. The default option is No.
Customize Helpdesk Contact
On the Customization page, you can customize the Helpdesk contact information that users will see in the SSPR.
Click Yes and enter the helpdesk email or webpage URL and click Save.
If your organization is cloud-only, you can stop here, and the implementation part is complete. But if you have an on-premises Active Directory, proceed to the next section to configure password writeback.
Enable Password Writeback Azure AD Connect
Note. This section requires that Azure AD Connect is already installed and configured in your on-premises AD and Azure AD. If you haven’t done so, visit How to Install Azure AD Connect and Configure It.
- Log in to the Azure AD Connect server and launch the Azure AD Connect application.
- Click Configure.
Note that the synchronization is suspended while the Azure AD Connect application is open.
- Next, click Customize synchronization options and Next.
- Enter your Azure AD global admin account username and password and click Next.
- Once on the Optional Features step, check the Password writeback and click Next.
- On the last page, click Configure.
- After the configuration is complete, click Exit.
- Go back to the Azure AD portal → Password Reset → On-premises integration. From here, you can confirm that password writeback is enabled for synced users.
Register User SSPR Information
- The users can set up their SSPR information by logging in to their Office 365 accounts at https://mysignins.microsoft.com/security-info. Once signed in, click the Add sign-in method button.
- Select the preferred authentication method and click Add. In this example, the user chooses the Authenticator app option.
- Follow the prompts to complete the registration.
- Click Next to start setting up your account.
- Open the authenticator application on the user’s mobile, scan the QR code, and click Next.
- The authenticator notification appears on user’s mobile phone, asking to approve the sign-in. Click Approve.
- Once approved, click Next.
- The user sees the authentication method registration status next. Click Done.
Test the Azure Active Directory Self Service Password Reset
Now that the user’s security info is updated let’s test the password reset feature.
- Open a browser and navigate to https://passwordreset.microsoftonline.com/.
- Enter the user’s email address and the captcha characters, and click Next.
- Enter the verification information based on the authentication method on the account and click Next. In this example, the authentication method is the authentication app code.
- Next, specify the new password and click Finish.
- The user’s password has been reset, and they can now log in to the account.
You can significantly improve the user experience when you enable self service password reset in your organization. Users can reset their own passwords as long as your organization has the license that allows this feature.
Moreover, users may not need to connect to the corporate network (direct, VPN, etc.) to reset their passwords in the Active Directory. Instead, they can perform the password reset in their Office 365 accounts, and the password will sync back to Active Directory.