Let’s discuss how to Allow Entra Password Reset in Windows using Intune. Allow EntraPassword Reset is a setting in Azure Active Directory (AAD) that is Entra that enables self-service password reset (SSPR) for users. When this feature is enabled, users can reset their passwords without needing help from an IT administrator, making it easier to regain access to their accounts if they forget their password.
Two critical articles guide IT admins on enabling Self-Service Password Reset (SSPR) using Intune and Entra ID. The first article outlines SSPR options, core components, and server-side configuration for effective password management in Entra. The second article describes enabling SSPR on the Windows login screen via Intune policy, allowing users to reset their passwords directly from the sign-in screen, improving their overall Windows experience.
Entra provides multiple ways to verify a user’s identity before allowing a password reset, ensuring that only authorized users can reset passwords. Verification methods include email, phone, security questions, or multi-factor authentication (MFA).
One of our articles guides admins on setting up the policy and shows end-users how to change or reset their passwords. Azure AD’s self-service password reset (SSPR) covers three main areas: enabling SSPR, licensing requirements, and system setup.
Table of Contents
What is the Purpose of the Allow Entra Password Reset Property?
The Allow EntraPassword Reset property determines whether Azure Active Directory (AAD) that is Entra accounts have permission to reset their passwords.
What Access Types are Available for this Property?
The following access types are supported:
1. Add
2. Delete
3. Get
4. Replace
Windows CSP Details – AllowAadPasswordReset
The CSP policy in Windows allows administrators to set various policy configurations on Windows 10 and newer devices through mobile device management (MDM) tools such as Intune. This policy lets administrators manage user access to the self-service password reset (SSPR) feature, allowing it to appear directly on the Windows sign-in screen for Microsoft Entra accounts (previously known as AAD).
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Default Value | 0 |
- Enable Self Service Password Reset SSPR on Windows Login Screen using Intune Policy
- Best Set of Updated Windows 11 Password Policies
- Entra External ID Now Supports SMS as an MFA Option
- MFA Authentication now Added to WhatsApp
How to Allow Entra Password Reset in Windows using Intune
This post provides a step-by-step guide on enabling Entra Password Reset in Windows using Intune. Using Intune, Microsoft’s device management solution, administrators can configure settings for self-service password reset so users can manage their passwords easily and securely.
- Go to the Intune Admin Center portal
- Go to Devices > Windows >Configuration > Create > New Policy
To create a new Intune profile, choose the Platform as Windows 10 and later. Then, set the Profile type to Settings catalog. Select the Create button from the window below.
Create a Profile to Allow Entra Password Reset
On the Basics page, enter a name for the configuration profile, such as “Allow Entra Password Reset.” You can also briefly describe it, like “Enable Entra password reset in Windows via Intune.” Once you’re finished, click Next to proceed.
- New Native Support for Cross-Device Authentication on Windows Passkeys
- New External Authentication Methods In Microsoft Entra ID
- Microsoft Moves Per-User Multifactor Authentication to Entra ID for Easier Management
Configuration Settings
On the Configuration settings tab, select the + Add settings hyperlink. In the Settings Picker window, enter “Authentication” in the search bar to display 10 related settings. From this list, locate and choose Allow Allow Entra Password Reset.
Specifies whether password reset is enabled for Microsoft Entra accounts. This policy allows the Microsoft Entra tenant administrator to enable the self-service password reset feature on the Windows sign-in screen.
Authentication Settings | Enable or Allow |
---|---|
Allow Entra Password Reset | Toggle the pane to the Right side |
Scope Tag and Assignments
In Intune, the Scope Tag and Assignment tabs are vital when creating or managing configuration profiles. The Assignment tab allows you to specify which groups or devices the configuration profile will apply to.
The Review + Create tab in Intune is the final step in creating or configuring a profile, policy, or other management settings. It provides a summary of all the settings and configurations you selected during the profile creation process.
Allow Entra Password Reset Policy Creation Status
After clicking the Create button, a pop-up notification will appear with the message “Policy Entra password reset created successfully.” The screenshot below shows more details.
Monitor the Device and User Check-in Status
You can see that the Allow Entra Password Reset policy has been created successfully, with 1 instance marked as succeeded. The below screenshot shows more details.
End User Experience – Client Side Verification – Allow Entra Password Reset Policy
You can check the Event Viewer logs to confirm if the Allow Entra Password Reset policy is enforced on Windows 10 or 11 devices managed by Intune. Look for Event IDs 813 and 814 to verify that the policy has been applied correctly.
- Go to Event Viewer > Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin.
MDM PolicyManager: Set policy int, Policy: (AllowAadPasswordReset), Area: (Authentication),
EnrollmentID requesting merge: (B1E9301C-8666-412A-BA2F-3BF8A55BFA62), Current User: (Device), Int:
(0x1), Enrollment Type: (0x6), Scope: (0x0).
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Resources
Authentication Policy CSP | Microsoft Learn
Author
Anoop C Nair has been Microsoft MVP from 2015 onwards for 10 consecutive years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is also a Blogger, Speaker, and leader of the Local User Group Community. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc.