Configure self-service password reset

Self-service password reset (SSPR) is a feature in Azure Active Directory (Azure AD) that allows users to change or reset their passwords without the need for administrator intervention. This capability is particularly important for ensuring that users can regain access to their accounts quickly, while also reducing the workload on IT staff.

Prerequisites for SSPR

To configure self-service password reset, certain prerequisites must be met:

• You must have an Azure AD tenant and be an administrator with sufficient permissions (Global Admin or User Administrator).
• Your users must have been synchronized to Azure AD or be cloud-only users.
• You must have Azure AD Premium P1 or P2 licenses, or a Microsoft 365 license for your users to use SSPR.

Configuring SSPR in Azure AD

1. Sign in to the Azure portal
   You must sign in to the Azure portal using an account with the required administrative permissions. Navigate to Azure Active Directory.
2. Go to Password reset settings
   In the Azure Active Directory pane, find the ‘Password Reset’ option from the navigation pane, which typically falls under the ‘Manage’ section.
3. Select Properties
   Here, you can decide who can use the SSPR service. You have several options:
   • All: Allows all users in the Azure AD tenant to use SSPR.
   • Selected: Allows only specified users or groups to use SSPR.
   • None: Disables SSPR for the tenant.

   Choose the appropriate option based on your organizational need.
4. Choose Authentication Methods
   Next, you need to decide on the number of methods required to reset and the methods available to users. The common methods are:
   • Email
   • Mobile phone
   • Office phone
   • Security questions

   You may require one or two methods to be used for password reset. The more methods required, the more secure the reset process.
5. Registration
   Users will need to register their authentication information before they can reset their password. Configure the options under Registration to set how often users are asked to reconfirm their authentication information.
6. Notifications
   You can configure Azure AD to send notifications to users when their password is reset. This helps in alerting users in case of any unauthorized password changes.
7. Customization
   Customization allows you to set a custom helpdesk link for users who need additional assistance.

Testing SSPR

After the SSPR has been configured, it is important to test the functionality to ensure it is working as expected. To test SSPR:

1. Sign-In as a User
   You or another user need to sign in using a non-administrator account to test the reset process.
2. Initiate the Password Reset
   From the sign-in page, click on the “Forgot my password” link and follow the instructions, using the methods that were configured earlier.
3. Complete the Reset
   Upon successful completion of the SSPR process, the new password should allow the user to access their account.

Monitoring SSPR

Azure AD provides detailed reports on SSPR activity:

• Usage and Insights report: Shows usage patterns and insights to assist in monitoring the feature.
• Audit logs: Provide information on each SSPR event for compliance and monitoring purposes.

Both types of reports are available in the Azure AD portal under the ‘Password reset’ section. By analyzing these reports, administrators can monitor how often SSPR is being used and by whom, and also understand if there are any challenges or security issues.

Self-service password reset is a vital capability for organizations looking to empower their users with a streamlined method for managing their passwords. By following the steps above, administrators can configure SSPR and ensure that users can efficiently reset their passwords, which in turn helps to maintain productivity and reduce the burden on IT staff.