How To Enable Azure AD Self-Service Password Reset (SSPR)

When you enable Azure AD self-service password reset (SSPR), you allow users to unlock their account or reset passwords. In this article, I will show you how to enable the self service password reset in Azure AD.

Without administrator and helpdesk involvement, you can give users the ability to change or reset their password by enabling Azure Active Directory (Azure AD) self-service password reset.

Usually, when a user account gets locked or when user forgets the password, the helpdesk team is first contacted. How about allowing users

Usually, when a user account gets locked or when user forgets the password, the helpdesk team is first contacted. How about allowing users to unblock their accounts and get back to work.

The self service Azure AD password reset is also referred as SSPR. Reminds me of SSRS, SQL Server Reporting Services.

Account Lockouts and Password Resets – Common IT Issues

One common issue that I have seen in most organizations is account lockouts. In my initial days of my job, I have dealt with more tickets on account lockouts and password resets.

What’s frustrating is when the user’s account is locked, the user cannot log a new ticket. And when there is a password change requested, the users want to repeat their old password, which isn’t allowed.

The account lockouts happen when the user types the wrong password and after 3 attempts, the user simply walks to helpdesk team and reports this issue. More lockouts, more busy will be the day for helpdesk team.

With the self service password reset feature in Azure AD, when a user’s account is locked, or they forget their password, they can follow prompts to unblock themselves and get back to work.

This ability reduces help desk calls and loss of productivity when a user can’t sign in to their device or an application.

Azure AD Self-Service Password Reset Prerequisites

Before you use the self-service password reset in Azure, following are the prerequisites.

  • A working Azure AD tenant with at least an Azure AD-free or trial license enabled.
  • In the Free tier, self service password reset only works for cloud users in Azure AD.
  • Password change is supported in the Free tier, but password reset is not.
  • You’ll need an Azure AD Premium P1 or trial license for on-premises password writeback.
  • By default, Azure AD enables self-service password reset for admins.
  • You need an account with Global Administrator privileges to enable SSPR.
  • To test the self service password reset, you would require a non-administrator user with a password.
  • You can only enable one Azure AD group for self-service password reset using the Azure portal.

Enable Self-Service Password Reset in Azure AD

Let’s look at the steps to enable the self-service password reset for users in Azure AD. Sign in to the Azure portal using an account with global administrator permissions.

In the Azure portal, search for and select Azure Active Directory, then select Password reset from the menu on the left side.

Enable Azure AD Self-Service Password Reset
Enable Azure AD Self-Service Password Reset

From the Properties page, under the option Self service password reset enabled, you find 3 options.

  1. None
  2. Selected
  3. All

The setting designates whether users in this directory can reset their password. Choose “Selected” to restrict password reset to a limited group of users.

Select the option Selected. If you have chosen this option, you must select the user groups who get permissions to self reset their passwords.

Enable Azure AD Self-Service Password Reset
Enable Azure AD Self-Service Password Reset

Under Select group, ensure you add the test users group and test if the password reset works fine.

Enable Azure AD Self-Service Password Reset
Enable Azure AD Self-Service Password Reset

In the notifications, look for Password reset policy saved. This confirms you have enabled the self service password reset for users in Azure AD.

Enable Azure AD Self-Service Password Reset
Enable Azure AD Self-Service Password Reset

Select authentication methods in Azure AD

In this section, I will cover about the authentication methods available in Azure AD for users.

When users need to unlock their account or reset their password, they’re prompted for another confirmation method.

You can choose which authentication methods to allow, based on the registration information the user provides.

On the Password Reset window, select Authentication methods page, set the Number of methods required to reset to 1. You can also select 2 methods if you want to make it more secure.

Select authentication methods and registration options
Select authentication methods and registration options

Choose the authentication methods available to users that your organization wants to allow. The following options are available.

  • Mobile app notification
  • Mobile app code
  • Email
  • Mobile phone
  • Office phone
  • Security questions

To apply the authentication methods, select Save.

User Registration Options in Azure AD

Before users can unlock their account or reset a password, they must register their contact information.

Azure AD uses this contact information for the different authentication methods set up in the previous steps.

An Azure administrator can manually provide this contact information, or users can go to a registration portal to provide the information themselves.

You can set up Azure AD to prompt the users for registration the next time they sign in.

On the Password Reset window, select Registration page, select Yes for Require users to register when signing in.

Set Number of days before users are asked to reconfirm their authentication information to 180.

The contact information must be up-to-date. The user may not be able to unlock their account or reset their password if the contact information is outdated.

To apply the registration settings, select Save.

User Registration Options in Azure AD
User Registration Options in Azure AD

Test self-service password reset

Finally, to test the self-service password reset feature, open the browser and visit the URL https://aka.ms/ssprsetup. You must enter the Email or username and enter the captcha. Click Next.

Follow the verification steps to reset your password. When finished, you’ll receive an email notification that your password was reset.

Test self-service password reset
Test self-service password reset