Self-service password reset FAQ - Azure Active Directory - Microsoft Entra (2023)

Table of Contents
Password reset registration Can my users register their own password reset data? If I enable password reset for a group and then decide to enable it for everyone are my users required re-register? Can I define password reset data on behalf of my users? Can I synchronize data for security questions from on-premises? Can my users register data in such a way that other users can't see this data? Do my users have to be registered before they can use password reset? Can I synchronize or set the authentication phone, authentication email, or alternate authentication phone fields on behalf of my users? How does the registration portal determine which options to show my users? When is a user considered registered? Password reset Do you prevent users from multiple attempts to reset a password in a short period of time? How long should I wait to receive an email, SMS, or phone call from password reset? What languages are supported by password reset? What parts of the password reset experience get branded when I set the organizational branding items in my directory's configure tab? How can I educate my users about where to go to reset their passwords? Can I use this page from a mobile device? Do you support unlocking local Active Directory accounts when users reset their passwords? How can I integrate password reset directly into my user's desktop sign-in experience? Can I set different security questions for different locales? How many questions can I configure for the security questions authentication option? How long can security questions be? How long can the answers to security questions be? Are duplicate answers to security questions rejected? Can a user register the same security question more than once? Is it possible to set a minimum limit of security questions for registration and reset? I configured my policy to require users to use security questions for reset, but the Azure administrators seem to be configured differently.** If a user has registered more than the maximum number of questions required to reset, how are the security questions selected during reset? How long are the email and SMS one-time passcodes valid? Can I block users from resetting their password? Password change Where should my users go to change their passwords? Can my users be notified in the Office portal when their on-premises password expires? Can I block users from changing their password? Password management reports How long does it take for data to show up on the password management reports? How can I filter the password management reports? What is the maximum number of events that are stored in the password management reports? How far back do the password management reports go? Is there a maximum number of rows that can appear on the password management reports? Is there an API to access the password reset or registration reporting data? Password writeback How does password writeback work behind the scenes? How long does password writeback take to work? Is there a synchronization delay like there is with password hash sync? If my on-premises account is disabled, how is my cloud account and access affected? If my on-premises account is constrained by an on-premises Active Directory password policy, does SSPR obey this policy when I change my password? What types of accounts does password writeback work for? Does password writeback enforce my domain's password policies? Is password writeback secure? How can I be sure I won't get hacked? Next steps FAQs Videos

The following are some frequently asked questions (FAQ) for all things related to self-service password reset.

If you have a general question about Azure Active Directory (Azure AD) and self-service password reset (SSPR) that's not answered here, you can ask the community for assistance on the . Members of the community include engineers, product managers, MVPs, and fellow IT professionals.

This FAQ is split into the following sections:

  • Questions about password reset registration
  • Questions about password reset
  • Questions about password change
  • Questions about password management reports
  • Questions about password writeback

Password reset registration

Can my users register their own password reset data?

Yes. As long as password reset is enabled and they are licensed, users can go to the password reset registration portal (https://aka.ms/ssprsetup) to register their authentication information. Users can also register through the Access Panel (https://myapps.microsoft.com). To register through the Access Panel, they need to select their profile picture, select Profile, and then select the Register for password reset option.

If you enable combined registration, users can register for both SSPR and Azure AD Multi-Factor Authentication at the same time.

If I enable password reset for a group and then decide to enable it for everyone are my users required re-register?

No. Users who have populated authentication data are not required to re-register.

Can I define password reset data on behalf of my users?

Yes, you can do so with Azure AD Connect, PowerShell, the Azure portal, or the Microsoft 365 admin center. For more information, see Data used by Azure AD self-service password reset.

Can I synchronize data for security questions from on-premises?

No, this is not possible today.

Can my users register data in such a way that other users can't see this data?

Yes. When users register data by using the password reset registration portal, the data is saved into private authentication fields that are visible only to global administrators and the user.

Do my users have to be registered before they can use password reset?

No. If you define enough authentication information on their behalf, users don't have to register. Password reset works as long as you have properly formatted the data stored in the appropriate fields in the directory.

Can I synchronize or set the authentication phone, authentication email, or alternate authentication phone fields on behalf of my users?

The fields that are able to be set by a Global Administrator are defined in the article SSPR Data requirements.

How does the registration portal determine which options to show my users?

The password reset registration portal shows only the options that you have enabled for your users. These options are found under the User Password Reset Policy section of your directory's Configure tab. For example, if you don't enable security questions, then users are not able to register for that option.

(Video) How to enable and configure SSPR in Azure AD

When is a user considered registered?

A user is considered registered for SSPR when they have registered at least the Number of methods required to reset a password that you have set in the Azure portal.

Password reset

Do you prevent users from multiple attempts to reset a password in a short period of time?

Yes, there are security features built into password reset to protect it from misuse.

Users can attempt to validate their information (such as their phone number), but if they're unable to prove their identity five times within a 24-hour period, they're locked out for 24 hours.

Users can try to validate a phone number, auth app, send a SMS, or validate security questions and answers only five times within an hour before they're locked out for 24 hours.

Users can send an email a maximum of 10 times within a 10 minute period before they're locked out for 24 hours.

The counters are reset once a user resets their password.

How long should I wait to receive an email, SMS, or phone call from password reset?

Emails, SMS messages, and phone calls should arrive in under a minute. The normal case is 5 to 20 seconds.If you don't receive the notification in this time frame:

  • Check your junk folder.
  • Check that the number or email being contacted is the one you expect.
  • Check that the authentication data in the directory is correctly formatted, for example, +1 4255551234 or user@contoso.com.

What languages are supported by password reset?

The password reset UI, SMS messages, and voice calls are localized in the same languages that are supported in Microsoft 365.

What parts of the password reset experience get branded when I set the organizational branding items in my directory's configure tab?

The password reset portal shows your organization's logo and allows you to configure the "Contact your administrator" link to point to a custom email or URL. Any email that's sent by password reset includes your organization's logo, colors, and name in the body of the email, and is customized from the settings for that particular name.

How can I educate my users about where to go to reset their passwords?

Try some of the suggestions in our SSPR deployment article.

Can I use this page from a mobile device?

Yes, this page works on mobile devices.

(Video) Configure and deploy self-service password reset||Assign users to SSPR||Azure Active Directory

Do you support unlocking local Active Directory accounts when users reset their passwords?

Yes. When a user resets their password, if password writeback has been deployed through Azure AD Connect, that user's account is automatically unlocked when they reset their password.

How can I integrate password reset directly into my user's desktop sign-in experience?

If you're an Azure AD Premium customer, you can install Microsoft Identity Manager at no additional cost and deploy the on-premises password reset solution.

Can I set different security questions for different locales?

No, this is not possible today.

How many questions can I configure for the security questions authentication option?

You can configure up to 20 custom security questions in the Azure portal.

How long can security questions be?

How long can the answers to security questions be?

Answers can be 3 to 40 characters long.

Are duplicate answers to security questions rejected?

Yes, we reject duplicate answers to security questions.

Can a user register the same security question more than once?

No. After a user registers a particular question, they can't register for that question a second time.

Is it possible to set a minimum limit of security questions for registration and reset?

Yes, one limit can be set for registration and another for reset. Three to five security questions can be required for registration, and three to five questions can be required for reset.

I configured my policy to require users to use security questions for reset, but the Azure administrators seem to be configured differently.**

This is the expected behavior. Microsoft enforces a strong default two-gate password reset policy for any Azure administrator role. This prevents administrators from using security questions. You can find more information about this policy in the Password policies and restrictions in Azure Active Directory article.

(Video) Self Service Password flow Explained | Azure Active Directory Authentication Types secure

If a user has registered more than the maximum number of questions required to reset, how are the security questions selected during reset?

N number of security questions are selected at random out of the total number of questions a user has registered for, where N is the amount that is set for the Number of questions required to reset option. For example, if a user has registered five security questions, but only three are required to reset a password, three of the five questions are randomly selected and are presented at reset. To prevent question hammering, if the user gets the answers to the questions wrong the selection process starts over.

How long are the email and SMS one-time passcodes valid?

The session lifetime for password reset is 15 minutes. From the start of the password reset operation, the user has 15 minutes to reset their password. The email and SMS one-time passcode are valid for 5 minutes during the password reset session.

Can I block users from resetting their password?

Yes, if you use a group to enable SSPR, you can remove an individual user from the group that allows users to reset their password. If the user is a Global Administrator they will retain the ability to reset their password and this cannot be disabled.

Password change

Where should my users go to change their passwords?

Users can change their passwords anywhere they see their profile picture or icon, like in the upper-right corner of their Office 365 portal or Access Panel experiences. Users can change their passwords from the Access Panel Profile page. Users can also be asked to change their passwords automatically at the Azure AD sign-in page if their passwords have expired. Finally, users can browse to the Azure AD password change portal directly if they want to change their passwords.

Can my users be notified in the Office portal when their on-premises password expires?

Yes, this is possible today if you use Active Directory Federation Services (AD FS). If you use AD FS, follow the instructions in the Sending password policy claims with AD FS article. If you use password hash synchronization, this is not possible today. We don't sync password policies from on-premises directories, so it's not possible for us to post expiration notifications to cloud experiences. In either case, it's also possible to notify users whose passwords are about to expire through PowerShell.

Can I block users from changing their password?

For cloud-only users, password changes can't be blocked. For on-premises users, you can set the User cannot change password option to selected. The selected users can't change their password.

Password management reports

How long does it take for data to show up on the password management reports?

Data should appear on the password management reports in 5 to 10 minutes. In some instances, it might take up to an hour to appear.

How can I filter the password management reports?

To filter the password management reports, select the small magnifying glass to the extreme right of the column labels, near the top of the report. If you want to do richer filtering, you can download the report to Excel and create a pivot table.

What is the maximum number of events that are stored in the password management reports?

Up to 75,000 password reset or password reset registration events are stored in the password management reports, spanning back as far as 30 days. We are working to expand this number to include more events.

(Video) Plan an Azure Active Directory self-service password reset | Self Service Password Reset AAD

How far back do the password management reports go?

The password management reports show operations that occurred within the last 30 days. For now, if you need to archive this data, you can download the reports periodically and save them in a separate location.

Is there a maximum number of rows that can appear on the password management reports?

Yes. A maximum of 75,000 rows can appear on either of the password management reports, whether they are shown in the UI or are downloaded.

Is there an API to access the password reset or registration reporting data?

Yes, you can get this info from the Authentication Methods Activity report or the API to get password reset activity. You can also use the audit logs API and filter by SSPR events.

Password writeback

How does password writeback work behind the scenes?

See the article How password writeback works for an explanation of what happens when you enable password writeback and how data flows through the system back into your on-premises environment.

How long does password writeback take to work? Is there a synchronization delay like there is with password hash sync?

Password writeback is instant. It is a synchronous pipeline that works fundamentally differently than password hash synchronization. Password writeback allows users to get real-time feedback about the success of their password reset or change operation. The average time for a successful writeback of a password is under 500 ms.

If my on-premises account is disabled, how is my cloud account and access affected?

If your on-premises ID is disabled, your cloud ID and access will also be disabled at the next sync interval through Azure AD Connect. By default, this sync is every 30 minutes.

If my on-premises account is constrained by an on-premises Active Directory password policy, does SSPR obey this policy when I change my password?

Yes, SSPR relies on and abides by the on-premises Active Directory password policy. This policy includes the typical Active Directory domain password policy, as well as any defined, fine-grained password policies that are targeted to a user.

What types of accounts does password writeback work for?

Password writeback works for user accounts that are synchronized from on-premises Active Directory to Azure AD, including federated, password hash synchronized, and Pass-Through Authentication Users.

Does password writeback enforce my domain's password policies?

Yes. Password writeback enforces password age, history, complexity, filters, and any other restriction you might put in place on passwords in your local domain.

Is password writeback secure? How can I be sure I won't get hacked?

Yes, password writeback is secure. To read more about the multiple layers of security implemented by the password writeback service, check out the Password writeback security section in the Password writeback overview article.

(Video) Microsoft Entra - What’s new in Identity and Authentication!

Next steps

  • How do I complete a successful rollout of SSPR?
  • Reset or change your password
  • Register for self-service password reset
  • Do you have a licensing question?
  • What data is used by SSPR and what data should you populate for your users?
  • What authentication methods are available to users?
  • What are the policy options with SSPR?
  • What is password writeback and why do I care about it?
  • How do I report on activity in SSPR?
  • What are all of the options in SSPR and what do they mean?
  • I think something is broken. How do I troubleshoot SSPR?

FAQs

How does Azure AD self-service password reset work? ›

Azure Active Directory (Azure AD) self-service password reset (SSPR) gives users the ability to change or reset their password, with no administrator or help desk involvement. If a user's account is locked or they forget their password, they can follow prompts to unblock themselves and get back to work.

Which self-service password reset option can force users to configure the answer to security questions? ›

Instead, security questions can be used during the self-service password reset (SSPR) process to confirm who you are. Administrator accounts can't use security questions as verification method with SSPR. When users register for SSPR, they're prompted to choose the authentication methods to use.

How do I reset my Microsoft self-service password? ›

Sign in to your Office 365 account, using your existing password. Select your profile on the upper-right side, and then select View account. Select Security & privacy > Password. Type your old password, create and confirm your new password, and then select Submit.

Should I enable self-service password reset? ›

We recommend that organizations use the combined registration experience for Azure AD Multi-Factor Authentication and self-service password reset (SSPR). SSPR allows users to reset their password in a secure way using the same methods they use for Azure AD Multi-Factor Authentication.

Does self-service password reset require MFA? ›

Self-Service Password Reset (SSPR) allows you to reset your Microsoft 365 account password yourself by confirming your identity with the MFA method. This avoids a call to the service desk to reset your password. To register for MFA and Self-Service Password Resets, follow the steps below.

Which three authentication methods can Azure AD users use to reset their password? ›

Authentication Methods in Azure

For SSPR, the following authentication mechanisms are available: Mobile app notification. Mobile app code. Email.

Does user1 gets a notification when user3 resets his/her password by using SSPR? ›

Notify users on password resets: No. SSPR portal to their primary and alternate email addresses that are on file in Azure AD. No one else is notified of the reset event.

What is the supported maximum number of authentication methods required to reset a password through self-service password reset? ›

Administrators are always enabled for self-service password reset and are required to use two authentication methods to reset their password. If registration is required, unregistered users are prompted to register their own authentication information when they sign in for the first time.

How long does password writeback take to work immediately 5 seconds 10 seconds 15 seconds? ›

The average time for a successful writeback of a password is under 500 ms.

Why am I being asked to reset my Microsoft password? ›

This is a security feature of all Microsoft accounts which cannot be turned off. If the option for 72 days password expiration is enabled in your account then it will automatically ask you to reset password.

How do I unlock my self account? ›

Log in to Admin Portal, click Access > Policies tab, and select the policy set. Click User Security Policies > Self Service. Select Yes in the Enable account self service controls drop-down. Enable the Account Unlock option.

What can I do if I can't recover my Microsoft account? ›

If you cannot recover your account, please go to https://account.live.com/acsrand submit a separate support request to Microsoft account recovery support to get a new password.

Why does self-service fail? ›

Most self-service flaws relate to three failure points: External search, site navigation and self-service capabilities. Identifying and addressing these gaps will encourage more customers to opt for self-service or keep them there.

Should a password reset be an incident or service request? ›

The best practice, in adherence with ITIL standards, would be to consider a password reset a request and not an incident as an incident is defined as "an unplanned interruption to an IT service or reduction in the quality of an IT service".

How often should service account passwords be changed? ›

Cybersecurity experts recommend changing your password every three months. There may even be situations where you should change your password immediately, especially if a cybercriminal has access to your account.

Is there a way to bypass MFA? ›

Another social engineering technique that is becoming popular is known as “consent phishing”. This is where hackers present what looks like a legitimate OAuth login page to the user. The hacker will request the level of access they need, and if access is granted, they can bypass MFA verification.

What happens if you don't have MFA? ›

If you use Microsoft 365 products and you don't have MFA (Multi-Factor Authentication) enabled in your organization yet, you are at heightened risk of user accounts getting compromised.

How do attackers bypass MFA? ›

MFA bypass via proxy attacks

In a proxy attack, the phishing site sits between the user and the target website. The phishing site passes relevant web pages and data, including passwords and multifactor authentication, back and forth between the user and the target site.

What are the three 3 main types of authentication? ›

Authentication factors can be classified into three groups: something you know: a password or personal identification number (PIN); something you have: a token, such as bank card; something you are: biometrics, such as fingerprints and voice recognition.

What permissions are required to reset passwords in AD? ›

The first permission provides the ability to reset the user's password, the second permissions provides the ability to force the user to reset their password at the next logon.

Which command should be used to configure an SPN for a user account? ›

To create an SPN, you can use the SetSPN command line utility. For more information, see: SetSPN. Service Principal Names (SPNs) SetSPN Syntax (Setspn.exe)

When a user password is changed how will you confirm that user password is changed successfully by checking the logs? ›

Open “Event Viewer” ➔ “Windows Logs” ➔ “Security” logs. Search for event ID 4724 in “Security” logs. This ID identifies a user account whose password is reset. You can scroll down to view the details of the user account whose password was reset.

What happens after you reset a user's password? ›

After changing a password

After you reset a password and sign-in cookies, the user is signed out of all active sessions. To reopen their apps, the user needs to complete the following actions: Google web apps (such as Gmail or Google Drive)—The user has to sign in again with their new password.

How does self-service password reset work? ›

Self-service password reset (SSPR) is the functionality that allows users to reset their passwords without requiring assistance from an administrator, tech support, or help desk. The process works by providing prompts users follow to unlock their accounts and change their passwords.

What are 3 things you should avoid when creating passwords? ›

DON'T use blank spaces in your password. DON'T use a word contained in English or foreign language dictionaries, spelling lists or commonly digitized texts such as the Bible or an encyclopedia. DON'T use an alphabet sequence (lmnopqrst), a number sequence (12345678) or a keyboard sequence (qwertyuop).

How long does it take a hacker to guess your password? ›

It found if you're using numbers only in your password, it would take hackers no more than three minutes if you have 14 or fewer characters. Even using up to 18 characters would take hackers no more than three weeks to hack your account.

How long does it take to crack a password based on length? ›

A 12-character password containing at least one upper case letter, one symbol and one number would take 34,000 years for a computer to crack.

How long does it take to hack a 12 digit password? ›

Password managers are the best bet for protecting passwords, according to Hive, which also found that a 12-character password created by a password manager could take some 3,000 years to brute-force crack.

How many attempts unlock Microsoft account? ›

Windows security baselines recommend configuring a threshold of 10 invalid sign-in attempts, which prevents accidental account lockouts and reduces the number of Help Desk calls, but doesn't prevent a DoS attack. Using this type of policy must be accompanied by a process to unlock locked accounts.

Why does my Microsoft account keep getting locked for no reason? ›

To help protect your account from fraud or abuse, Microsoft temporarily locks accounts when unusual activity is noticed. To unlock your account, sign in to your Microsoft account and follow the instructions to get a security code.

How do I change my self-service password? ›

In the admin center, go to the Settings > Org settings page. At the top of the Org settings page, select the Security & Privacy tab. Select Self-service Password Reset. Under Self-service password reset, select Go to the Azure portal to turn on self-service password reset.

Does Microsoft Delete locked accounts? ›

Based on Microsoft Account Activity Policy , if you haven't signed in at least once every 2 years on your account , it will be permanently deleted. https://support.microsoft.com/en-ph/help/451105... Was this reply helpful? Yes it also applies to locked accounts since there will be no successful login that will happen .

How do I change my Azure AD Connect service password? ›

In the pop-up dialog, select Connect to Active Directory Forest: Enter the new password of the AD DS connector account in the Password textbox. Click OK to save the new password and close the pop-up dialog. Restart the Microsoft Azure AD Sync service under Windows Service Control Manager.

How do I find my Azure username and password? ›

Log in to the Microsoft Azure management console. Click the “Virtual machines” icon in the toolbar and select your server from the resulting list. In the “Support + Troubleshooting” menu, select the “Boot diagnostics” option. Review the system log until you find the administrator username and password.

Do Azure AD passwords expire? ›

As the title suggests, lately I've been notified about some issues with Azure AD and user password expiration. Namely, even though the password expiration timer is 90 days, some users can still login to their accounts after password expiration.

How do I unlock my aad account? ›

If a users gets locked out of their account in Azure AD Domain services there is no way to unlock it. The user has to wait for 30 minutes.

What happens when password reset command is issued in Intune? ›

The notification is displayed if a work profile password is required and set. After their passcode is entered, the notification is dismissed. After the reset passcode is selected from the admin center, a temporary passcode is presented to the admin.

How long does IT take to wipe a device from Intune? ›

If the device is on and connected, the Wipe action propagates across all device types in less than 15 minutes.

How long does password writeback take to work? ›

Password writeback allows users to get real-time feedback about the success of their password reset or change operation. The average time for a successful writeback of a password is under 500 ms.

What is my Azure Active Directory username? ›

If you're using Microsoft Azure AD, then your username is most likely your email address.

How do I check my AZ login? ›

To retrieve the certificate for az login , see Retrieve certificate from Key Vault. If you want to avoid displaying your password on console and are using az login interactively, use the read -s command under bash . Under PowerShell, use the Get-Credential cmdlet.

Where are password settings in Azure? ›

In the Azure portal, search for and select Azure AD B2C. Select User flows. Select a user flow, and click Properties. Under Password complexity, change the password complexity for this user flow to Simple, Strong, or Custom.

Is service principal same as service account? ›

What is a service principal? Azure has a notion of a Service Principal which, in simple terms, is a service account. On Windows and Linux, this is equivalent to a service account. These accounts are frequently used to run a specific scheduled task, web application pool or even SQL Server service.

Does a service principal have a password? ›

The output for a service principal with password authentication includes the password key. Make sure you copy this value - it can't be retrieved. If you lose the password, reset the service principal credentials.

Videos

1. Microsoft Entra Identity & Access Management
(Synergy Technical)
2. How to set up self-service password reset for Microsoft 365 Business Premium
(Microsoft 365)
3. Secure access and improve efficiency with Microsoft Entra innovations that span Azure | BRK53
(Microsoft Ignite)
4. New user enablement via SSPR
(Bart Asnot)
5. Azure Master Class v2 - Module 2 - Identity
(John Savill's Technical Training)
6. Azure Active Directory | Azure Tutorial for Beginners | K21Academy
(K21Academy)
Top Articles
Latest Posts
Article information

Author: Corie Satterfield

Last Updated: 12/16/2022

Views: 6014

Rating: 4.1 / 5 (42 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: Corie Satterfield

Birthday: 1992-08-19

Address: 850 Benjamin Bridge, Dickinsonchester, CO 68572-0542

Phone: +26813599986666

Job: Sales Manager

Hobby: Table tennis, Soapmaking, Flower arranging, amateur radio, Rock climbing, scrapbook, Horseback riding

Introduction: My name is Corie Satterfield, I am a fancy, perfect, spotless, quaint, fantastic, funny, lucky person who loves writing and wants to share my knowledge and understanding with you.