The ability for end users to be able to reset their own password is essential for eliminating administrative overhead and is something that should be enabled in just about every organization. With that said, we are going to go over how to enable self-service password reset (SSPR) In Azure AD.
Feel free navigate to any portion of the article using the table of contents below.
Table Of Contents
Requirements
As mentioned, this is definitely something that should be enabled for just about every organization out there, but there are a few things you should know if you want to implement this for your org. Let’s list them out here and what you’ll need.
- A Global Administrator. This is needed to modify SSPR settings
- Azure AD P1 or P2 license (for Hybrid environments only)
Enable Self-Service Password Reset for Cloud Only Environments
If you’re a cloud only environment, meaning you don’t have any users syncing from on-premises Active Directory, it is pretty simple to enable self-service password reset. Let’s cover the steps now.
In Azure Active Directory:
- Navigate to Password Reset
- Under Self-Service password reset enabled, select your choice of All or a specified group
- As a pilot, I’ve selected a group but it is generally recommended to enable it for all users
Enable Self-Service Password Reset for Hybrid Environments
In order to enable self-service password reset for hybrid environments, you’ll need to complete the steps above because that is the baseline configuration needed in order to make this work.
Furthermore, if you’re syncing onprem Active Directory users to Azure AD there is still more to do in the AAD Connect wizard. Let’s cover those steps now.
Set up Password Write Back in Azure AD Connect
Logon to your Azure AD Connect Server and launch the Azure AD Connect wizard.
Configure SSPR Authentication Methods
Once we’ve enabled SSPR for the environment we stop now but I thought it would be a good idea to take a few more minutes to look over some of the sub settings that are in the password reset blade.
In order for a user to reset their password, they’ll need to provide some form of identity verification. This is essential from a security standpoint, and prevents joe user (or a potential hacker) to gain access to your account. In any event, let’s take a look at the authentication methods that are required in order to reset a user’s password.
By default, email and phone are enabled because 2 methods are required but I also like to add mobile app code because it uses MFA as a verification method. This helps reduce the attack surface for anyone changing their password.
Require Registration for Self-Service Password Reset
In the previous years of SSPR, you were required to register for self-service password reset AND register for MFA. This was kind of a pain point because users had to register for 2 items. Thankfully, the team at Microsoft integrated these and today we can use combined registration mode for SSPR and MFA. This is great because as the name suggests, you will only need to register 1 time and that will be active for both items.
Furthermore, let’s head into the registration blade:
Confirm On-premises Integration
If you’re wondering if password writeback is enabled and don’t have access to view the configuration in the Azure AD Connect wizard? That’s not a problem because we can easily check this in the password reset blade.
Conclusion
Hopefully this article was able to provide in-depth detail on how to enable self-service password (SSPR) in Azure Active Directory. As mentioned, this is something that should be enabled for your organization help eliminate administrative overhead. Your users will happy, and you’ll be happy because you won’t be getting calls to reset a password.
