Enable Azure Active Directory self-service password reset - Microsoft Entra (2023)

  • Article
  • 8 minutes to read

Azure Active Directory (Azure AD) self-service password reset (SSPR) gives users the ability to change or reset their password, with no administrator or help desk involvement. If Azure AD locks a user's account or they forget their password, they can follow prompts to unblock themselves and get back to work. This ability reduces help desk calls and loss of productivity when a user can't sign in to their device or an application. We recommend this video on How to enable and configure SSPR in Azure AD. We also have a video for IT administrators on resolving the six most common end-user error messages with SSPR.

Important

This tutorial shows an administrator how to enable self-service password reset. If you're an end user already registered for self-service password reset and need to get back into your account, go to the Microsoft Online password reset page.

If your IT team hasn't enabled the ability to reset your own password, reach out to your helpdesk for additional assistance.

In this tutorial you learn how to:

  • Enable self-service password reset for a group of Azure AD users
  • Set up authentication methods and registration options
  • Test the SSPR process as a user

Video tutorial

You can also follow along in a related video: How to enable and configure SSPR in Azure AD.

Prerequisites

To finish this tutorial, you need the following resources and privileges:

  • A working Azure AD tenant with at least an Azure AD free or trial license enabled. In the Free tier, SSPR only works for cloud users in Azure AD. Password change is supported in the Free tier, but password reset is not.
    • For later tutorials in this series, you'll need an Azure AD Premium P1 or trial license for on-premises password writeback.
    • If needed, create an Azure account for free.
  • An account with Global Administrator or Authentication Policy Administrator privileges.
  • A non-administrator user with a password you know, like testuser. You'll test the end-user SSPR experience using this account in this tutorial.
    • If you need to create a user, see Quickstart: Add new users to Azure Active Directory.
  • A group that the non-administrator user is a member of, likes SSPR-Test-Group. You'll enable SSPR for this group in this tutorial.
    • If you need to create a group, see Create a basic group and add members using Azure Active Directory.

Enable self-service password reset

Azure AD lets you enable SSPR for None, Selected, or All users. This granular ability lets you choose a subset of users to test the SSPR registration process and workflow. When you're comfortable with the process and the time is right to communicate the requirements with a broader set of users, you can select a group of users to enable for SSPR. Or, you can enable SSPR for everyone in the Azure AD tenant.

(Video) How to enable and configure SSPR in Azure AD

Note

Currently, you can only enable one Azure AD group for SSPR using the Azure portal. As part of a wider deployment of SSPR, Azure AD supports nested groups.

In this tutorial, set up SSPR for a set of users in a test group. Use the SSPR-Test-Group and provide your own Azure AD group as needed:

  1. Sign in to the Azure portal using an account with global administrator or authentication policy administrator permissions.

  2. Search for and select Azure Active Directory, then select Password reset from the menu on the left side.

  3. From the Properties page, under the option Self service password reset enabled, choose Selected.

  4. If your group isn't visible, choose No groups selected, browse for and select your Azure AD group, like SSPR-Test-Group, and then choose Select.

  5. To enable SSPR for the select users, select Save.

Select authentication methods and registration options

When users need to unlock their account or reset their password, they're prompted for another confirmation method. This extra authentication factor makes sure that Azure AD finished only approved SSPR events. You can choose which authentication methods to allow, based on the registration information the user provides.

  1. From the menu on the left side of the Authentication methods page, set the Number of methods required to reset to 2.

    (Video) Configure and deploy self-service password reset||Assign users to SSPR||Azure Active Directory

    To improve security, you can increase the number of authentication methods required for SSPR.

  2. Choose the Methods available to users that your organization wants to allow. For this tutorial, check the boxes to enable the following methods:

    • Mobile app notification
    • Mobile app code
    • Email
    • Mobile phone

    You can enable other authentication methods, like Office phone or Security questions, as needed to fit your business requirements.

  3. To apply the authentication methods, select Save.

Before users can unlock their account or reset a password, they must register their contact information. Azure AD uses this contact information for the different authentication methods set up in the previous steps.

An administrator can manually provide this contact information, or users can go to a registration portal to provide the information themselves. In this tutorial, set up Azure AD to prompt the users for registration the next time they sign in.

  1. From the menu on the left side of the Registration page, select Yes for Require users to register when signing in.

  2. Set Number of days before users are asked to reconfirm their authentication information to 180.

    It's important to keep the contact information up to date. If outdated contact information exists when an SSPR event starts, the user may not be able to unlock their account or reset their password.

  3. To apply the registration settings, select Save.

Set up notifications and customizations

To keep users informed about account activity, you can set up Azure AD to send email notifications when an SSPR event happens. These notifications can cover both regular user accounts and admin accounts. For admin accounts, this notification provides another layer of awareness when a privileged administrator account password is reset using SSPR. Azure AD will notify all global admins when someone uses SSPR on an admin account.

  1. From the menu on the left side of the Notifications page, set up the following options:

    (Video) Plan an Azure Active Directory self-service password reset | Self Service Password Reset AAD

    • Set Notify users on password resets? option to Yes.
    • Set Notify all admins when other admins reset their password? to Yes.
  2. To apply the notification preferences, select Save.

If users need more help with the SSPR process, you can customize the "Contact your administrator" link. The user can select this link in the SSPR registration process and when they unlock their account or resets their password. To make sure your users get the support needed, we recommend you provide a custom helpdesk email or URL.

  1. From the menu on the left side of the Customization page, set Customize helpdesk link to Yes.
  2. In the Custom helpdesk email or URL field, provide an email address or web page URL where your users can get more help from your organization, like https://support.contoso.com/
  3. To apply the custom link, select Save.

Test self-service password reset

With SSPR enabled and set up, test the SSPR process with a user that's part of the group you selected in the previous section, like Test-SSPR-Group. The following example uses the testuser account. Provide your own user account. It's part of the group you enabled for SSPR in the first section of this tutorial.

Note

When you test self-service password reset, use a non-administrator account. By default, Azure AD enables self-service password reset for admins. They're required to use two authentication methods to reset their password. For more information, see Administrator reset policy differences.

  1. To see the manual registration process, open a new browser window in InPrivate or incognito mode, and browse to https://aka.ms/ssprsetup. Azure AD will direct users to this registration portal when they sign in next time.

  2. Sign in with a non-administrator test user, like testuser, and register your authentication methods contact information.

  3. Once finished, select the button marked Looks good and close the browser window.

  4. Open a new browser window in InPrivate or incognito mode, and browse to https://aka.ms/sspr.

  5. Enter your non-administrator test users' account information, like testuser, the characters from the CAPTCHA, and then select Next.

    Enable Azure Active Directory self-service password reset - Microsoft Entra (2)

    (Video) Self Service Password flow Explained | Azure Active Directory Authentication Types secure

  6. Follow the verification steps to reset your password. When finished, you'll receive an email notification that your password was reset.

Clean up resources

In a later tutorial in this series, you'll set up password writeback. This feature writes password changes from Azure AD SSPR back to an on-premises AD environment. If you want to continue with this tutorial series to set up password writeback, don't disable SSPR now.

If you no longer want to use the SSPR functionality you have set up as part of this tutorial, set the SSPR status to None using the following steps:

  1. Sign in to the Azure portal.
  2. Search for and select Azure Active Directory, then select Password reset from the menu on the left side.
  3. From the Properties page, under the option Self service password reset enabled, select None.
  4. To apply the SSPR change, select Save.

FAQs

This section explains common questions from administrators and end-users who try SSPR:

  • Why do federated users wait up to 2 minutes after they see Your password has been reset before they can use passwords that are synchronized from on-premises?

    For federated users whose passwords are synchronized, the source of authority for the passwords is on-premises. As a result, SSPR updates only the on-premises passwords. Password hash synchronization back to Azure AD is scheduled for every 2 minutes.

  • When a newly created user who is pre-populated with SSPR data such as phone and email visits the SSPR registration page, Don’t lose access to your account! appears as the title of the page. Why don't other users who have SSPR data pre-populated see the message?

    A user who sees Don’t lose access to your account! is a member of SSPR/combined registration groups that are configured for the tenant. Users who don’t see Don’t lose access to your account! were not part of the SSPR/combined registration groups.

  • When some users go through SSPR process and reset their password, why don't they see the password strength indicator?

    Users who don’t see weak/strong password strength have synchronized password writeback enabled. Since SSPR can’t determine the password policy of the customer’s on-premises environment, it cannot validate password strength or weakness.

Next steps

In this tutorial, you enabled Azure AD self-service password reset for a selected group of users. You learned how to:

  • Enable self-service password reset for a group of Azure AD users
  • Set up authentication methods and registration options
  • Test the SSPR process as a user
(Video) Microsoft Entra - What’s new in Identity and Authentication!

Enable Azure AD Multi-Factor Authentication

FAQs

Should I enable self-service password reset? ›

We recommend that organizations use the combined registration experience for Azure AD Multi-Factor Authentication and self-service password reset (SSPR). SSPR allows users to reset their password in a secure way using the same methods they use for Azure AD Multi-Factor Authentication.

Which type of Azure Active Directory AD license allows for self-service password resets in a hybrid scenarios with on-premises AD write back? ›

Hybrid user password change or reset with on-prem writeback

The on-premises writeback feature requires Azure AD Premium P1, Premium P2, or Microsoft 365 Business Premium.

How does Azure AD self-service password reset work? ›

Azure Active Directory (Azure AD) self-service password reset (SSPR) gives users the ability to change or reset their password, with no administrator or help desk involvement. If a user's account is locked or they forget their password, they can follow prompts to unblock themselves and get back to work.

Which self-service password reset option can force users to configure the answer to security questions? ›

Instead, security questions can be used during the self-service password reset (SSPR) process to confirm who you are. Administrator accounts can't use security questions as verification method with SSPR. When users register for SSPR, they're prompted to choose the authentication methods to use.

Does self-service password reset require MFA? ›

Self-Service Password Reset (SSPR) allows you to reset your Microsoft 365 account password yourself by confirming your identity with the MFA method. This avoids a call to the service desk to reset your password. To register for MFA and Self-Service Password Resets, follow the steps below.

What are the advantages of a self-service password reset management system? ›

Self-service password reset ensures that password problems are only resolved after adequate user authentication, eliminating an important weakness of many service desks and reducing the chances of social engineering attacks and identity theft.

How do I reset my Azure self-service password? ›

Enable self-service password reset
  1. Sign in to the Azure portal using an account with global administrator or authentication policy administrator permissions.
  2. Search for and select Azure Active Directory, then select Password reset from the menu on the left side.
Sep 29, 2022

What is a prerequisite option for self-service password reset in AD Connect? ›

Prerequisites
  1. A working Azure AD tenant with at least an Azure AD Premium P1 or trial license enabled. ...
  2. An account with Hybrid Identity Administrator.
  3. Azure AD configured for self-service password reset. ...
  4. An existing on-premises AD DS environment configured with a current version of Azure AD Connect.
Sep 29, 2022

How do I reset my Azure Active Directory password? ›

To reset a password
  1. Sign in to the Azure portal as a user administrator, or password administrator. ...
  2. Select Azure Active Directory, select Users, search for and select the user that needs the reset, and then select Reset Password. ...
  3. In the Reset password page, select Reset password.
Dec 15, 2022

How can an administrator turn on self-service password reset? ›

Steps: Let people reset their own passwords
  1. In the admin center, go to the Settings > Org settings page.
  2. At the top of the Org settings page, select the Security & Privacy tab.
  3. Select Self-service Password Reset.
  4. Under Self-service password reset, select Go to the Azure portal to turn on self-service password reset.
Oct 26, 2022

Which three authentication methods can Azure AD users use to reset their password? ›

Authentication Methods in Azure

For SSPR, the following authentication mechanisms are available: Mobile app notification. Mobile app code. Email.

What is the supported maximum number of authentication methods required to reset a password through self-service password reset? ›

Administrators are always enabled for self-service password reset and are required to use two authentication methods to reset their password. If registration is required, unregistered users are prompted to register their own authentication information when they sign in for the first time.

Which of the following are valid ways to reset a user's password on a stand alone Windows 10 computer? ›

Recover Lost Windows Password
  1. Press Windows key + R.
  2. Type: control userpasswords2.
  3. Hit Enter key on your keyboard.
  4. Select the account, then click Reset password.
  5. Enter the new password and confirm it, then click OK.
Jun 18, 2021

Which type of security technique which converts password to special signs answer? ›

Hashing is the act of converting passwords into unreadable strings of characters that are designed to be impossible to convert back, known as hashes.

What happens if MFA is not enabled? ›

If you use Microsoft 365 products and you don't have MFA (Multi-Factor Authentication) enabled in your organization yet, you are at heightened risk of user accounts getting compromised.

Is there a way to bypass MFA? ›

Another social engineering technique that is becoming popular is known as “consent phishing”. This is where hackers present what looks like a legitimate OAuth login page to the user. The hacker will request the level of access they need, and if access is granted, they can bypass MFA verification.

Should I enable MFA? ›

Using MFA protects your account more than just using a username and password. Users who enable MFA are significantly less likely to get hacked, according to Microsoft.

What are pros and cons of self-service technologies? ›

Benefits of Self-Service Kiosks
  • 1) Improved self kiosks accuracy. ...
  • 2) Self-Service Kiosks for Restaurants reduce wait time. ...
  • 3) Optimization of resources (and employees) ...
  • 4) Increase in sales. ...
  • 5) Information sharing. ...
  • 6) Personalized experience. ...
  • 1) Self-ordering machines have limited customization. ...
  • 2) Kiosk cost issue.
Dec 10, 2019

What is the purpose of self-service? ›

The definition of self-service

Self-service is an approach where users access resources to find solutions on their own without requiring assistance from a service representative.

What is the benefit of enabling self-service group management? ›

Self-service group management enables users to create and manage security groups or Office 365 groups in Azure Active Directory (AD). Self-service group management can also group owners to assign ownership to other users.

How do I reset my Azure AD password Powershell? ›

Sign in to https://portal.azure.com/ and go to Azure Active Directory -> Users;
  1. Select a user and click Reset Password;
  2. You will receive a notification that a temporary password will be assigned to the user: ...
  3. Azure will generate a new temporary password for the user and show it on the screen;
Apr 15, 2022

What is Microsoft Entra? ›

Microsoft Entra is the new name for the family of identity and access technologies now brought into one place and under one portal. Entra goes beyond traditional identity and access management – it's Microsoft's vision for the future of identity and access.

How do I reset my Azure authentication? ›

Using Azure Portal:

Navigate to Azure Active Directory > Users > All users > Choose the user you wish to perform an action on > select Authentication methods > Require Re-register MFA. Once this is done, the next time the user signs in, he/she will be requested to set up a new MFA authentication method.

How do I enable password write back in Azure AD Connect? ›

Enable password writeback in Azure portal
  1. Sign in to the Azure portal using a Global Administrator account.
  2. Search for and select Azure Active Directory, select Password reset, then choose On-premises integration.
  3. Check the option for Write back passwords to your on-premises directory .
Sep 28, 2022

How do I enable password sync in Azure AD Connect? ›

Enable synchronization of password hashes
  1. On the computer with Azure AD Connect installed, from the Start menu, open the Azure AD Connect > Synchronization Service.
  2. Select the Connectors tab. ...
  3. Copy and paste the following PowerShell script to the computer with Azure AD Connect installed.
Aug 23, 2022

Which command should be used to configure an SPN for a user account? ›

To create an SPN, you can use the SetSPN command line utility. For more information, see: SetSPN. Service Principal Names (SPNs) SetSPN Syntax (Setspn.exe)

How do you force a password to change in Active Directory? ›

Workaround
  1. Start Active Directory Users and Computers.
  2. Right-click the name of the user whose password you want to change, and then click Properties.
  3. Click the Account tab, and then, in the. Account Options area, click to select the User must change password at next logon check box.
  4. Click Apply, and then click. OK.

How do I unlock Azure Active Directory? ›

In the Properties page, under Self service password reset enabled option, click Select group. Select the Azure AD groups for which the feature has to be enabled and click Select. Click Save to enable self-service password reset and account unlock for the users belonging to the selected groups.

How do I enable my Azure AD account? ›

Configure the Azure Active Directory Administration - Disable/Enable user action
  1. In the drop-down list for Connection, select Add new connection. ...
  2. Type a user-friendly Connection name.
  3. Click Connect.
  4. Enter your Azure Active Directory administrator account credentials if prompted. ...
  5. Click Accept to grant admin consent.

How do I enable self-service? ›

To enable self-service application access to an application, follow the steps below:
  1. Sign in to the Azure portal as a Global Administrator.
  2. Select Azure Active Directory. ...
  3. Select the application from the list. ...
  4. In the left navigation menu, select Self-service.
Dec 8, 2022

How does an administrator reset a user's password? ›

As an administrator, you can reset users' passwords to maintain account security.
...
Change a password
  1. Sign in to your Google Admin console. ...
  2. In the Admin console, go to Menu Directory. ...
  3. In the Users list, find the user. ...
  4. Point to the user. ...
  5. In the Reset password box, select an option:

How do I enable myself as administrator? ›

  1. Select Start > Settings > Accounts .
  2. Under Family & other users, select the account owner name (you should see "Local account" below the name), then select Change account type. ...
  3. Under Account type, select Administrator, and then select OK.
  4. Sign in with the new administrator account.

Which type of Azure Active Directory AD license allows for self service password resets in a hybrid scenarios with on-premises AD write back? ›

Hybrid user password change or reset with on-prem writeback

The on-premises writeback feature requires Azure AD Premium P1, Premium P2, or Microsoft 365 Business Premium.

What are the three 3 common identification and authentication methods? ›

Common types of biometrics include the following: Fingerprint scanning verifies authentication based on a user's fingerprints. Facial recognition uses the person's facial characteristics for verification. Iris recognition scans the user's eye with infrared to compare patterns against a saved profile.

What are the three 3 main types of authentication? ›

Authentication factors can be classified into three groups: something you know: a password or personal identification number (PIN); something you have: a token, such as bank card; something you are: biometrics, such as fingerprints and voice recognition.

How does Azure Self-Service Reset password work? ›

Azure Active Directory (Azure AD) self-service password reset (SSPR) gives users the ability to change or reset their password, with no administrator or help desk involvement. If a user's account is locked or they forget their password, they can follow prompts to unblock themselves and get back to work.

When self-service password reset is enabled it means? ›

Self-service password reset ensures that password problems are only resolved after adequate user authentication, eliminating an important weakness of many service desks and reducing the chances of social engineering attacks and identity theft.

Is self-service password reset a security risk? ›

Both manual and automated self-service password resets can put systems at risk, since they are highly vulnerable to social engineering attacks.

What steps must be taken in order to enable self service password resets so your users can reset their on premises Active Directory passwords via Office 365? ›

Sign in to the Azure portal. Search for and select Azure Active Directory, then select Password reset from the menu on the left side. From the Properties page, under the option Self service password reset enabled, select None. To apply the SSPR change, select Save.

Which self service password reset option can force users to configure the answer to security questions? ›

Instead, security questions can be used during the self-service password reset (SSPR) process to confirm who you are. Administrator accounts can't use security questions as verification method with SSPR. When users register for SSPR, they're prompted to choose the authentication methods to use.

Does self service password reset require MFA? ›

Self-Service Password Reset (SSPR) allows you to reset your Microsoft 365 account password yourself by confirming your identity with the MFA method. This avoids a call to the service desk to reset your password. To register for MFA and Self-Service Password Resets, follow the steps below.

What two methods can be used to change a users password? ›

There are two basic methods for changing a user's password:
  • Trigger an interactive password reset flow that sends the user a link through email. The link opens the Auth0 password reset page where the user can enter a new password.
  • Directly set the new password using the Auth0 Management API or the Auth0 Dashboard .

Which command is used by root logged user to set reset the password of another user's? ›

The passwd command changes passwords for user accounts. A normal user may only change the password for their own account, while the superuser may change the password for any account. passwd also changes the account or associated password validity period.

What are 3 types password cracking methods? ›

Six Types of Password Attacks & How to Stop Them
  • Phishing. Phishing is when a hacker posing as a trustworthy party sends you a fraudulent email, hoping you will reveal your personal information voluntarily. ...
  • Man-in-the-Middle Attack. ...
  • Brute Force Attack. ...
  • Dictionary Attack. ...
  • Credential Stuffing. ...
  • Keyloggers.

What are the four 3 most secured encryption techniques? ›

Best Encryption Algorithms
  • AES. The Advanced Encryption Standard (AES) is the trusted standard algorithm used by the United States government, as well as other organizations. ...
  • Triple DES. ...
  • RSA. ...
  • Blowfish. ...
  • Twofish. ...
  • Rivest-Shamir-Adleman (RSA).
Nov 11, 2022

What is set up self-service password reset? ›

Self Service Password reset allows end-users to reset passwords without the intervention of an administrator. You can use the self-service password reset tool so you don't have to contact your administrator to reset your password.

What is Citrix self-service password reset? ›

The self-service password reset provides the following two new authentication mechanisms:
  1. Knowledge based question and answer. You must register to Citrix authentication, authorization, and auditing or to a Citrix Gateway before selecting the knowledge-based question and answer schema.
  2. Email OTP authentication.
Sep 23, 2022

Why is Amazon requiring a password reset? ›

Amazon has force-reset an unknown number of accounts, after passwords may have been compromised.

Should a password reset be an incident or service request? ›

The best practice, in adherence with ITIL standards, would be to consider a password reset a request and not an incident as an incident is defined as "an unplanned interruption to an IT service or reduction in the quality of an IT service".

How do I enable self-service password? ›

Enable self-service password reset
  1. Sign in to the Azure portal using an account with global administrator or authentication policy administrator permissions.
  2. Search for and select Azure Active Directory, then select Password reset from the menu on the left side.
Sep 29, 2022

How long will I be locked out of Citrix? ›

Local system users and external users can be locked for 24 hours using the lock aaa user <username> command. The ADC appliance allows admins to unlock the locked user, and the feature is available regardless of the setting in persistentloginAttempts.

Why is Amazon asking me to reset my password 2022? ›

The e-mail sent to affected users said that the company had "recently discovered that your [Amazon] password may have been improperly stored on your device or transmitted to Amazon in a way that could potentially expose it to a third party," according to ZDNet.

How do I bypass Amazon password reset? ›

Simply try to sign in to your account, and use the forgotten password option. This will send an email with a link that you can click on which signs you into your new account without having to put in an OTP. This is highly useful for those who wish to bypass 2FA phone number online.

Will Amazon ever unlock my account? ›

Amazon isn't able to offer locked-out assistance. If you or your guests are locked out, please contact a locksmith for assistance. For security purposes, Amazon isn't able to offer locked-out assistance.

What are the three 3 things that we need to consider for making a strong password? ›

What Makes a Password Strong? The key aspects of a strong password are length (the longer the better); a mix of letters (upper and lower case), numbers, and symbols, no ties to your personal information, and no dictionary words.

How often should users be forced to change their passwords? ›

Cybersecurity experts recommend changing your password every three months. There may even be situations where you should change your password immediately, especially if a cybercriminal has access to your account.

What are 3 things you should avoid when creating passwords? ›

DON'T use blank spaces in your password. DON'T use a word contained in English or foreign language dictionaries, spelling lists or commonly digitized texts such as the Bible or an encyclopedia. DON'T use an alphabet sequence (lmnopqrst), a number sequence (12345678) or a keyboard sequence (qwertyuop).

Videos

1. Microsoft Entra Identity & Access Management
(Synergy Technical)
2. How to set up self-service password reset for Microsoft 365 Business Premium
(Microsoft 365)
3. 31. Enable the Registration Campaign Policy to set up Microsoft Authenticator in Azure AD
(MSFT WebCast)
4. 26. Setup Passwordless sign in in Azure AD using Microsoft Authenticator App
(MSFT WebCast)
5. Unpacking Microsoft Entra | Under the hood of Microsoft's Identity & Access solution
(Cloud Conversations)
6. How to Azure AD Service Connection Point Validation
(Paddy Maddy)
Top Articles
Latest Posts
Article information

Author: Barbera Armstrong

Last Updated: 02/05/2023

Views: 6008

Rating: 4.9 / 5 (79 voted)

Reviews: 86% of readers found this page helpful

Author information

Name: Barbera Armstrong

Birthday: 1992-09-12

Address: Suite 993 99852 Daugherty Causeway, Ritchiehaven, VT 49630

Phone: +5026838435397

Job: National Engineer

Hobby: Listening to music, Board games, Photography, Ice skating, LARPing, Kite flying, Rugby

Introduction: My name is Barbera Armstrong, I am a lovely, delightful, cooperative, funny, enchanting, vivacious, tender person who loves writing and wants to share my knowledge and understanding with you.