How to Allow Entra Password Reset in Windows using Intune

Let’s discuss how to Allow Entra Password Reset in Windows using Intune. Allow EntraPassword Reset is a setting in Azure Active Directory (AAD) that is Entra that enables self-service password reset (SSPR) for users. When this feature is enabled, users can reset their passwords without needing help from an IT administrator, making it easier to regain access to their accounts if they forget their password.

Two critical articles guide IT admins on enabling Self-Service Password Reset (SSPR) using Intune and Entra ID. The first article outlines SSPR options, core components, and server-side configuration for effective password management in Entra. The second article describes enabling SSPR on the Windows login screen via Intune policy, allowing users to reset their passwords directly from the sign-in screen, improving their overall Windows experience.

Entra provides multiple ways to verify a user’s identity before allowing a password reset, ensuring that only authorized users can reset passwords. Verification methods include email, phone, security questions, or multi-factor authentication (MFA).

One of our articles guides admins on setting up the policy and shows end-users how to change or reset their passwords. Azure AD’s self-service password reset (SSPR) covers three main areas: enabling SSPR, licensing requirements, and system setup.

Patch My PC
How to Allow Entra Password Reset in Windows using Intune - Fig.1
How to Allow Entra Password Reset in Windows using Intune – Fig.1

What is the Purpose of the Allow Entra Password Reset Property?

Allow-Aad-Password-Reset

The Allow EntraPassword Reset property determines whether Azure Active Directory (AAD) that is Entra accounts have permission to reset their passwords.

What Format is Used for the Property Value?

How to Allow Entra Password Reset in Windows using Intune 1

The property value format is an integer.

Adaptiva

What Access Types are Available for this Property?

Allow-Aad-Password-Reset

The following access types are supported:
1. Add
2. Delete
3. Get
4. Replace

Windows CSP Details – AllowAadPasswordReset

The CSP policy in Windows allows administrators to set various policy configurations on Windows 10 and newer devices through mobile device management (MDM) tools such as Intune. This policy lets administrators manage user access to the self-service password reset (SSPR) feature, allowing it to appear directly on the Windows sign-in screen for Microsoft Entra accounts (previously known as AAD).

Property nameProperty value
Formatint
Access TypeAdd, Delete, Get, Replace
Default Value0
How to Allow Entra Password Reset in Windows using Intune – Table 1
How to Allow Entra Password Reset in Windows using Intune - Fig.2
How to Allow Entra Password Reset in Windows using Intune – Fig.2

How to Allow Entra Password Reset in Windows using Intune

This post provides a step-by-step guide on enabling Entra Password Reset in Windows using Intune. Using Intune, Microsoft’s device management solution, administrators can configure settings for self-service password reset so users can manage their passwords easily and securely.

How to Allow Entra Password Reset in Windows using Intune - Fig.3
How to Allow Entra Password Reset in Windows using Intune – Fig.3

To create a new Intune profile, choose the Platform as Windows 10 and later. Then, set the Profile type to Settings catalog. Select the Create button from the window below.

How to Allow Entra Password Reset in Windows using Intune - Fig.4
How to Allow Entra Password Reset in Windows using Intune – Fig.4

Create a Profile to Allow Entra Password Reset

On the Basics page, enter a name for the configuration profile, such as “Allow Entra Password Reset.” You can also briefly describe it, like “Enable Entra password reset in Windows via Intune.” Once you’re finished, click Next to proceed.

How to Allow Entra Password Reset in Windows using Intune - Fig.5
How to Allow Entra Password Reset in Windows using Intune – Fig.5

Configuration Settings

On the Configuration settings tab, select the + Add settings hyperlink. In the Settings Picker window, enter “Authentication” in the search bar to display 10 related settings. From this list, locate and choose Allow Allow Entra Password Reset.

How to Allow Entra Password Reset in Windows using Intune - Fig.6
How to Allow Entra Password Reset in Windows using Intune – Fig.6

Specifies whether password reset is enabled for Microsoft Entra accounts. This policy allows the Microsoft Entra tenant administrator to enable the self-service password reset feature on the Windows sign-in screen.

Authentication SettingsEnable or Allow
Allow Entra Password ResetToggle the pane to the Right side
How to Allow Entra Password Reset in Windows using Intune – Table 2
How to Allow Entra Password Reset in Windows using Intune - Fig.7
How to Allow Entra Password Reset in Windows using Intune – Fig.7

Scope Tag and Assignments

In Intune, the Scope Tag and Assignment tabs are vital when creating or managing configuration profiles. The Assignment tab allows you to specify which groups or devices the configuration profile will apply to.

How to Allow Entra Password Reset in Windows using Intune - Fig.8
How to Allow Entra Password Reset in Windows using Intune – Fig.8

The Review + Create tab in Intune is the final step in creating or configuring a profile, policy, or other management settings. It provides a summary of all the settings and configurations you selected during the profile creation process.

How to Allow Entra Password Reset in Windows using Intune - Fig.9
How to Allow Entra Password Reset in Windows using Intune – Fig.9

Allow Entra Password Reset Policy Creation Status

After clicking the Create button, a pop-up notification will appear with the message “Policy Entra password reset created successfully.” The screenshot below shows more details.

How to Allow Entra Password Reset in Windows using Intune - Fig.10
How to Allow Entra Password Reset in Windows using Intune – Fig.10

Monitor the Device and User Check-in Status

You can see that the Allow Entra Password Reset policy has been created successfully, with 1 instance marked as succeeded. The below screenshot shows more details.

How to Allow Entra Password Reset in Windows using Intune - Fig.11
How to Allow Entra Password Reset in Windows using Intune – Fig.11

End User Experience – Client Side Verification – Allow Entra Password Reset Policy

You can check the Event Viewer logs to confirm if the Allow Entra Password Reset policy is enforced on Windows 10 or 11 devices managed by Intune. Look for Event IDs 813 and 814 to verify that the policy has been applied correctly.

  • Go to Event Viewer > Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin.

MDM PolicyManager: Set policy int, Policy: (AllowAadPasswordReset), Area: (Authentication),
EnrollmentID requesting merge: (B1E9301C-8666-412A-BA2F-3BF8A55BFA62), Current User: (Device), Int:
(0x1), Enrollment Type: (0x6), Scope: (0x0).

How to Allow Aad Password Reset in Windows using Intune - Fig.12
How to Allow Entra Password Reset in Windows using Intune – Fig.12

Need Further Assistance or Have Technical Questions?

Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.

Resources

Authentication Policy CSP | Microsoft Learn

Author

Anoop C Nair has been Microsoft MVP from 2015 onwards for 10 consecutive years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is also a Blogger, Speaker, and leader of the Local User Group Community. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.