0

How To Enable Self-Service Password Reset (SSPR) In Azure AD

The ability for end users to be able to reset their own password is essential for eliminating administrative overhead and is something that should be enabled in just about every organization. With that said, we are going to go over how to enable self-service password reset (SSPR) In Azure AD.
 

Feel free navigate to any portion of the article using the table of contents below.

 

Requirements

As mentioned, this is definitely something that should be enabled for just about every organization out there, but there are a few things you should know if you want to implement this for your org. Let’s list them out here and what you’ll need.

  • A Global Administrator. This is needed to modify SSPR settings
  • Azure AD P1 or P2 license (for Hybrid environments only)

Azure AD self-service password reset Licensing
 

Enable Self-Service Password Reset for Cloud Only Environments

If you’re a cloud only environment, meaning you don’t have any users syncing from on-premises Active Directory, it is pretty simple to enable self-service password reset. Let’s cover the steps now.

In Azure Active Directory:

enable self-service password reset group properties
 

Enable Self-Service Password Reset for Hybrid Environments

In order to enable self-service password reset for hybrid environments, you’ll need to complete the steps above because that is the baseline configuration needed in order to make this work.
 

Furthermore, if you’re syncing onprem Active Directory users to Azure AD there is still more to do in the AAD Connect wizard. Let’s cover those steps now.

Set up Password Write Back in Azure AD Connect

Logon to your Azure AD Connect Server and launch the Azure AD Connect wizard.

  • Once launched, click configure
  • AAD Connect Configure
     

  • Click on Customize synchronization options, and click Next
  • AAD Connect Customize Sync options
     

  • Enter in a Global Administrator -or a Hybrid Identity Administrator (preferred) account to connect to Azure AD.
  • AAD Connect to Azure AD
     

  • Click next a few times until you get to Optional Features, once there, ensure Password writeback is checked.
  • AAD Connect Optional Features for password writeback
     

  • Click next until you reach the ready to configure screen. Once there, ensure Start the synchronization process when configuration completes is checked and click Configure
  • AAD Connect Complete Configuration options
     

  • Once complete, exit the AAD Connect wizard.
  • AAD Connect Configuration Complete
     

    Configure SSPR Authentication Methods

    Once we’ve enabled SSPR for the environment we stop now but I thought it would be a good idea to take a few more minutes to look over some of the sub settings that are in the password reset blade.
     

    In order for a user to reset their password, they’ll need to provide some form of identity verification. This is essential from a security standpoint, and prevents joe user (or a potential hacker) to gain access to your account. In any event, let’s take a look at the authentication methods that are required in order to reset a user’s password.

    enable self-service password reset authentication method properties
     

    By default, email and phone are enabled because 2 methods are required but I also like to add mobile app code because it uses MFA as a verification method. This helps reduce the attack surface for anyone changing their password.

    Require Registration for Self-Service Password Reset

    In the previous years of SSPR, you were required to register for self-service password reset AND register for MFA. This was kind of a pain point because users had to register for 2 items. Thankfully, the team at Microsoft integrated these and today we can use combined registration mode for SSPR and MFA. This is great because as the name suggests, you will only need to register 1 time and that will be active for both items.
     

    Furthermore, let’s head into the registration blade:

  • Ensure Require users to register when signing in is set to Yes
  • Leave the Number of days before users are asked to re-confirm their authentication information to 180
  • Save the settings if anything was changed
  • enable self-service password reset registration
     

    Confirm On-premises Integration

    If you’re wondering if password writeback is enabled and don’t have access to view the configuration in the Azure AD Connect wizard? That’s not a problem because we can easily check this in the password reset blade.
     

    SSPR Registration

    Conclusion

    Hopefully this article was able to provide in-depth detail on how to enable self-service password (SSPR) in Azure Active Directory. As mentioned, this is something that should be enabled for your organization help eliminate administrative overhead. Your users will happy, and you’ll be happy because you won’t be getting calls to reset a password.

    5/5 - (11 votes)

    Paul

    Hi, my name is Paul and I am a Sysadmin who enjoys working on various technologies from Microsoft, VMWare, Cisco and many others. Join me as I document my trials and tribulations of the daily grind of System Administration.

    Leave a Reply

    Your email address will not be published.