Implementing a Self-Service Password Reset
Users will sometimes forget their passwords; to prevent intervention by an Azure AD administrator, a self-service password reset (SSPR) can be implemented. This allows users to click on the Can’t access your account? link on the sign-in page for the portal or Microsoft Cloud service they are trying to access.
This recipe will teach you how to implement SSPR in your environment’s AD tenancy. We will take you through enabling SSPR for a selected scope and review the available settings, then carry out a user registration for SSPR and test its operation to confirm the function is working.
Getting ready
This recipe requires the following:
- A device with a browser, such as Edge or Chrome, to access the Azure portal: https://portal.azure.com
- You should sign in with an account that has the Global Administrator role
- Optionally, pre-create an Azure AD Security group called SSPR-Test-Group and add members to test with
How to do it…
This recipe consists of the following task:
- Configuring Self-Service Password Reset
Task – configuring Self-Service Password Reset
Perform the following steps:
- From the Azure portal, go to Azure Active Directory and then click Password under the Manage section from the side menu.
- From Properties, under the Manage section from the side menu, choose Selected under Self-service password reset enabled; review the information in the tooltips on this page by clicking on the i symbol:
Figure 1.19 – Password reset | Properties
- Click on the No groups Selected hyperlink and then browse and select the group to enable SSPR. Then, click Save:
Figure 1.20 – Password reset selected groups
- From Authentication methods, under the Manage section from the side menu, select as required the Number of methods required to reset setting.
- Then, select as required the Methods available to users setting:
Figure 1.21 – Authentication methods
- From Registration, under the Manage section from the side menu, select Yes for Require users to register when signing in?.
- Select the Number of days before users are asked to re-confirm their authentication information setting as required.
- From Notifications, under the Manage section from the side menu, select Notify users on password resets? as required.
- From Notifications, under the Manage section from the side menu, select the Notify users on password resets? and Notify all admins when other admins reset their password? settings as required.
- From Customization, under the Manage section from the side menu, select the Customize helpdesk link? and Custom helpdesk email or URL settings as required.
- Review the settings configured from Administrator Policy in the Manage section from the side menu.
With that, you have configured SSPR. This concludes the hands-on tasks for this recipe.
How it works…
In this recipe, we looked at how we can implement SSPR when users forget their password for a portal or Microsoft Cloud service they are trying to access.
This prevents intervention from an Azure AD administrator, which reduces the burden on these roles and also protects against loss of productivity.
See also
Should you require further information, you can refer to the following Microsoft Learn articles:
- Tutorial: Enable users to unlock their accounts or reset passwords using Azure Active Directory SSPR: https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr
- Azure Active Directory fundamentals documentation: https://learn.microsoft.com/en-us/azure/active-directory/fundamentals
