What is Self Service Password Reset

In this article we will learn what is self service password reset, how does it work, and how to enable self service password reset in Azure Active Directory (Microsoft Entra ID).

Watch the video

If you want to learn what is self service password, how does it work, and how to enable self service password, please watch this video on our YouTube channel.

What is Self Service Password Reset (SSPR)

Self Service Password Reset (SSPR) is a feature of Azure Active Directory (Microsoft Entra ID), that gives your users the ability to change or reset their passwords without the intervention of an Administrator.

When self service password reset is enabled in your Azure AD tenant, If a user’s account is locked or he has forgot his password or even he wants to change his current password, he can change or reset the password himself. Users will not be contacting the administrators to get their passwords change.

Key benefits of Self Service Password Reset (SSPR)

Let’s talk about key benefits of self service password reset.

1. Self service password reset reduces IT support cost by enabling users to reset their own passwords. It also reduces the cost of time that is lost due to the password change and account lockout.
2. It provides one-time user registration process that allows users to reset their passwords and unblock their accounts from any device or from any location.
3. Self service password reset enables enterprises to access the security and flexibility that a cloud platform provides. Administrators can change settings to accommodate new security requirements and they can roll out these changes to the users without disrupting their sign-in.
4. With the help of Audit logs, we can track the password reset activities. In audit logs we can track how many users are resetting their passwords. Whether password reset was successful or it was failed, and why it was failed. We can also track what are the most common methods that users or admins use to reset their passwords or Is there any suspicious activity going on with password reset.

Prerequisites for Self Service Password Reset

Now let’s talk about the prerequisites for self service password reset.

1. You need Microsoft Entra ID P1 license.
2. Each user who wants to use the features of self service password reset, requires Microsoft Entra ID P1 license.

How does Self Service Password Reset work

Let’s understand the flow of self service password reset or how does self service password reset work in the background.

1. When a user tries to change or reset his password using Self Service Password Reset (SSPR) portal, the first thing that is validated by Azure platform is to check whether SSPR is enabled for this user or not.
2. If Self Service Password Reset (SSPR) is not enabled, the user will be asked to contact his administrator.
3. And if SSPR is enabled, Azure platform will check if the user has set the authentication methods or not.
4. If authentication methods are not set by the user, he will be asked to contact his administrator.
5. And if authentication methods are set, Azure platform will check where are the user passwords managed. Whether these passwords are managed in Azure Active Directory or these are managed in on-premise Active Directory. That means whether the users are directly hosted in Azure Active Directory or your passwords are stored in on-premise Active Directory and you have deployed Azure AD Connect.
6. If passwords are managed in Azure Active Directory, user will be able to change or reset his password.
7. And if passwords are managed in on-premise Active Directory, Azure platform will check if password writeback is enabled in your tenant or not.
8. If password writeback is not enabled in your tenant, user will be asked to contact his administrator.
9. And if password writeback is enabled, user will be able to change or reset his password.

So this is how self service password reset works in the background.

Enable Self Service Password Reset (SSPR)

So now let’s move towards our lab and let me show you how you can set up and configure self service password reset in Azure Active Directory.

To enable self-service password reset, you will go to Azure Active Directory and click Password Reset. Click Properties.

On the properties page you can select if you want to enable Self Service Password Reset (SSPR) for a set of users in your tenant or all the users.

Under Authentication Methods you can select the authentication methods that should be prompted to the users while resetting or changing their passwords. You can select either 1 authentication method or 2 authentication methods. And whatever authentication method you will select here, users will have to set these authentication methods at their end before they reset or change their passwords. For example, if you select Mobile Phone, user will have to provide his mobile number while registering himself for SSPR.

Under Registration page you can select whether users need to register while signing in to the applications. You can either select Yes or No.

And you can also select after how many days the users will have to provide their contact information. By default it is 180 days. But you can modify this value as per your business requirement.

Under notifications you can set if users should receive an email notification when their passwords are changed or when an administrator changes passwords for another administrators they should receive the notifications. So once you have made the changes, click on Save.

Next option is Customization. If users need more help with the SSPR process, you can customize the Contact your administrator link. This link will be displayed on the SSPR registration page.

So once you have made the changes as per your requirement, click Save. So self-service password reset is enabled for your tenant.

Now the next step is, the users for whom we have enabled SSPR they will have to register their contact details. When a user will try to login to any of the application in M365 or Azure, he will be asked to provide his contact details according to the authentication methods selected by the administrator. For example, if administrator has selected mobile phone, the user will have to provide his mobile number.

Users can also access self service password reset portal directly by going to https://aka.ms/ssprsetup.

And once registration is complete, users can either reset or change their password themselves.

So this is how you can set up select service password reset in Azure Active Directory Tenant.

Conclusion

In this blog we learnt what is Self Service Password Reset (SSPR), how Self Service Password Reset works, and how to enable Self Service Password Reset (SSPR).

If you found this article helpful and informative, please share it within your community and do not forget to share your feedback in the comments below. Join us on YouTube for the latest videos on the Cloud technology and join our Newsletter for the early access of the blogs and updates.

Related articles

We welcome you to browse our other articles.
Demystifying Microsoft Intune: The Ultimate Guide
Decoding MDM vs MAM: A Closer Look at Mobile Management Approaches
50+ Exchange Online Mail Flow Interview questions and answers
50+ Microsoft Exchange Server Interview Questions and Answers
Top 40+ Azure Active Directory interview questions and answers
Top 50+ Office 365 Interview questions and answers
Azure AD Multi-Factor Authentication and Security Defaults
Users and Groups in Azure AD
Simple steps to add domain in Azure Active Directory
What is Azure Active Directory

Happy Learning!