The self-service password reset (SSPR) feature in Azure AD can allow user to change or reset their password without the involvement from IT admin. So says a user was work from home and suddenly he/she just forgot the password of corporate account, then he/she can perform a password reset simply by themselves and back to work ASAP, during the whole process does need to call the IT team for any assistance. Which can reduce the help desk calls and the save user time. In this post I’ll demonstrate how to enable SSPR feature in Azure AD.
Requirements
- Azure AD Free license at least, but if you are hybrid environment then you need an Azure AD Premium P1 or trial license for on-premises password writeback.
- An Azure AD account with Global Administrator role.
- A user Azure AD account without admin rights.
- A group with no administrator member.
Enable self-service password reset
- Access Azure Portal from https://portal.azure.com, then go to Azure Active Directory.
2. Click “Groups” from the left side menu > Create a new security group and given a meaningful name with description. (in my case, simply go with SSPR without touch rest of options)
3. Go back to Azure Active Directory > Click “Password reset” from left side menu.
4. Choose “Selected” from the “Self service password reset enabled” option > then select your desired group from and hit “Select”. (in this tutorial I’ll go with “Selected” for my targeted SSRP group)
5. Click “Save” to preserve your changes.
6. Notification with “Password reset policy saved”.
Choose authentication methods
After you’ve enabled the SSPR, the next thing you have to do is to choose the authentication methods for your users. Then when your user need to reset their corporate account, they’re get prompted ask for a confirmation method. You can choose which authentication methods are allowed and number of methods required to reset.
7. Under the previously “Password reset” blade, click “Authentication methods” > set the “Number of methods required to reset” to 1 > and select which method that you allow to authenticate.
Enable registration
But before a user can reset or unlock their account, they must register with one of the authentication methods then you allowed.
8. Under the same blade from previously steps > click “Registration” > select “Yes” from “Require users to register when signing in?”. Then remain the default value of 180 days for “Number of days before users are asked to reconfirm their authentication information”
Enable notification
After a user performed a self-service password reset action, you certainly need to having a notification for them to be informed. So, you can enable the notification to send an email notification when a SSPR event occurred.
9. Still, under the same blade of previously steps > click “Notifications” > set “Notify user on password resets” to “Yes” and “Notify all admins when other admins reset their password” to “Yes” > click “Save”.
Setup customization (optional)
If your organization have a general help desk or IT portal, you may customize the “Contact your administrator” link with your site.
10. At the same blade of the previously blade, click “Customization” > select “Yes” for “Customize helpdesk link” > Paste your customized helpdesk email or URL under “Custom helpdesk email or URL” option > click “Save”. (In my case, remain default)
Test your SSPR feature
When you completed the SSPR setup, then you better to perform a test with one of the user inside the targeted group. In my case I’ll test with a user account which is member of the group named SSPR.
11. Try to access the SSPR link: https://aka.ms/ssprsetup via Microsoft Edge browser under InPrivate mode. (Sure, you can go whatever the web browser you had)
12. After you’ve signed in with your credentials, you will be asking to register with Microsoft Authentication app. Then follow the steps to register then enter the 6-digits code to verify.
13. Then you can perform a password reset now.
Be noted here, that regarding the “Authentication methods” and “Registration” options are only apply to end users in your organization. Admins account are always enabled for self-service password reset and are required to use two authentication methods to reset their password. You may refer to this link for the details of password policies and account restriction in Azure AD. Self-service password reset policies – Azure Active Directory | Microsoft Docs
