Azure AD SSPR Self Service Password Reset Guide

Hi All, Let’s learn Azure AD SSPR Self Service Password Reset. In this post, we have explained AAD Self Service Password Reset options and how it is enabled from the server side, what are the SSPR core components, etc. You can easily set up and configure Azure AD SSPR for your organization.

This article helps the admins to configure the policy and end-user how to change or reset their passwords. The Azure AD self-service password reset includes 3 main points Enable AAD SSPS, Licensing Requirements, and Architecture. Users can enroll in SSPR and reset their passwords using the self-service portal, reducing the burden on IT administrators and improving user productivity.

Azure Active Directory (Azure AD) Self-Service Password Reset (SSPR) empowers users to change or reset their passwords without needing administrator intervention or assistance from the help desk. This self-service feature puts the control in the hands of users, allowing them to manage their passwords conveniently and efficiently.

By utilizing SSPR, users can independently reset their passwords using various authentication methods, ensuring the security and confidentiality of their accounts. This eliminates the traditional reliance on IT administrators or helps desk personnel, freeing up their time and resources for more critical tasks. With SSPR, users can regain access to their accounts swiftly, minimizing disruptions and promoting productivity.

Patch My PC
[sibwp_form id=2]

What is Azure AD Self-Service Password Reset (SSPR)?

Azure-AD-SSPR-Self-Service-Password-Reset-Guide

Azure Active Directory SSPR allows users to change or reset passwords without administrator or help desk involvement. This feature helps the organization reduce costs and provides a self-service experience for the end users.

What are the Prerequisites and Licenses for Azure AD SSPR?

Azure AD SSPR Self Service Password Reset Guide 1

To enable the policy from Azure AD, you need to have Global administrator or Authentication policy administrator privileges. The end User should have access to the Microsoft Online Password Reset URLs. License is another important thing. It includes the following.

1. Azure AD Premium P1 or P2
2. EMS Licenses
3. Microsoft 365 Enterprise or Business

Video – Azure AD SSPR Self-Service Password Reset Guide

In this video, let’s discuss Azure AD SSPR Self-Service Password Reset Guide. Configuring and enabling self-service password reset (SSPR) is a straightforward process that allows users to reset their lost or forgotten passwords effortlessly.

Adaptiva
Azure AD SSPR Self Service Password Reset Guide – Video. 1

Azure AD SSPR Self-Service Password Reset

With self-service password reset enabled, users no longer rely on administrators or help desk personnel to handle password-related issues. Instead, they can take control of their password management, saving time and resources for both users and IT support teams.

Password Management – Self-Service PortalAAD SSPR Workflow

Let’s talk about the core store, as shown in the below window. It provides localization of the content of the website depending on the language. It is the high-level architecture that Microsoft provided, including the following steps.

Steps for Password Management Self Service Portal
Send request for self service password reset
Reads SSPR Configuration
Authenticate / Authorize request per policy
Send new password
Cloud password protection
Writeback agent picks up the request to change
DC Evaluates On-prem password policy
Agents reset the password in AD
Azure AD SSPR Self Service Password Reset Guide – Table. 1
Azure AD SSPR Self Service Password Reset Guide - fig.1
Azure AD SSPR Self Service Password Reset Guide – fig.1

Password Management – On Premises protectionAAD SSPR Workflow

The password management on-premises protection is shown in the window, screenshot below, and the list shows the 7 steps for the on-premises Azure active directory. This is the flow chart of Self-Service Password Reset.

  • Send request for policy download.
  • Send a response to the proxy service
  • Read policy from sysvol
  • The user initiates password change/reset
  • Send request for password reset/change
  • DC Agent processes password policy
  • DC Agent returns result:pass/fail
Azure AD SSPR Self Service Password Reset Guide - fig.2
Azure AD SSPR Self Service Password Reset Guide – fig.2

How to Enable Self-Service Password ResetPolicy Config from Entra Portal

The below screenshot shows the Azure AD portal or Microsoft Entra admin center configuration. Under Microsft Entra admin center, expand the Protect and Secure tab and select the Password reset option. Clicking the password reset page will lead you to the password reset properties page.

  • Login to Entra portal https://entra.microsoft.com/#home
  • Navigate to Protect & Secure -> Password Reset node.
  • Self-service password reset enabled shows 3 options
    • One is None means it is not Enabled
    • Selected means Enabled for selected users
    • All Enabled for All users
  • Here we choose the selected option and add an Azure AD User Group with selected users.
  • Click on the SAVE button to continue.
Azure AD SSPR Self Service Password Reset Guide - fig.3
Azure AD SSPR Self Service Password Reset Guide – fig.3

After choosing the selected option, the below default password reset policy window will appear. The default password reset policy window helps you to search and select a group. You can remove the selected group by clicking the Remove button below.

Azure AD SSPR Self Service Password Reset Guide - fig.4
Azure AD SSPR Self Service Password Reset Guide – fig.4

Authentication Methods

The Authentication methods show the Number of methods required to reset the password. The Authentication methods for SSPR and signin can now be managed in one converged policy. The following are the methods available for users.

  • Mobile app notification
  • Mobile app code
  • Email
  • Mobile Phone
  • Office Phone
  • Security questions etc
  • Here we are selecting 2 methods as Email and Mobile phone
Azure AD SSPR Self Service Password Reset Guide - fig.5
Azure AD SSPR Self Service Password Reset Guide – fig.5

Registration

You’ll find a menu on the left side of the Registration page. Ensure you select “Yes” for the option “Require users to register when signing in.” This setting prompts users to register for self-service password reset during their sign-in process, ensuring they are enrolled in SSPR.

  • Select the Number of days before users are asked to re-confirm their authentication information.
  • By default Number of days before users are asked to re-confirm their authentication information is 180 days.
Azure AD SSPR Self Service Password Reset Guide - fig.6
Azure AD SSPR Self Service Password Reset Guide – fig.6

Notifications

Azure AD can configure email notifications for SSPR events to enhance user awareness of account activity. This feature enables organizations to keep users informed about important password-related activities.

  • Select Notify users on password resets—option to Yes.
  • Select Notify all admins when other admins reset their password options to Yes.
Azure AD SSPR Self Service Password Reset Guide - fig.7
Azure AD SSPR Self Service Password Reset Guide – fig.7

Customization

To provide users with additional assistance during the SSPR process, Azure AD allows customization of the “Contact your administrator” link. This customizable link is valuable for users who may require further guidance or support when registering for SSPR, unlocking their accounts, or resetting their passwords.

  1. Under the Customization page, select Customize helpdesk link to Yes.
  2. The Custom helpdesk email or URL field allows you to specify an email address or web page URL where your users can seek additional assistance and support from your organization.
  3. Here we are giving https://htmd.in
  4. To apply the custom link, select Save.
Azure AD SSPR Self Service Password Reset Guide - fig.8
Azure AD SSPR Self Service Password Reset Guide – fig.8

Administrator Policy

Administrator policy is the review of the configuration. It shows information such as whether SSPR is Enabled or Disabled, the Number of methods required to reset, methods available to administrators, etc.

Azure AD SSPR Self Service Password Reset Guide - fig.9
Azure AD SSPR Self Service Password Reset Guide – fig.9

Audit logs

You can easily check the Audit logs. You can easily see if there is any password reset initiated etc., under the Audit logs. The audit logs tab helps you to show the Audit log details such as Activity type, correlation ID, Category, etc.

Azure AD SSPR Self Service Password Reset Guide - fig.10
Azure AD SSPR Self Service Password Reset Guide – fig.10

Usage and Insights

Usage and insights help you to show the dashboard type of details. Usage and insights show 2 menus such as Registration and Usage. The Registration menu shows the users capable of Azure multifactor authentication, Users, capable of self-service password reset, etc.

Azure AD SSPR Self Service Password Reset Guide - fig.11
Azure AD SSPR Self Service Password Reset Guide – fig.11

SSPR Self-Service Password Reset and The Manual Registration Process

Let’s go to the SSPR Self Service Password Reset to see the manual registration process, open a new browser, and open https://aka.ms/sspr or https://passwordreset.microsoftonline.com. Azure AD will re-direct users to this registration portal when they sign in next time.

  • Enter your email or username and enter the characters in the picture or the words in the audio. After entering all the details, click the Next button.
  • If you get the error message “You can not reset your password because you have not registered for a password reset.”
Azure AD SSPR Self Service Password Reset Guide - fig.12
Azure AD SSPR Self Service Password Reset Guide – fig.12

Open the web browser on your device and go to the Security info page. After clicking the Security info hyperlink and log in with your username and password.

NOTE! – This part is not always shown to end-users. The additional security requirements depend on the security setting for your tenant. This also depends on the SSPR policy configuration shown above Authentication Methods.

  • While in the signin process, it says your organization requires additional security information. Follow the prompts to download and set up the Microsoft Authenticator app.
  • On your phone, install the Microsoft Authenticator app.
  • After you install the Microsoft Authenticator app on your device, choose Next.
  • If prompted, allow notifications, add an account, and select Work or School.
  • Select the Next button from the 2nd window.
Azure AD SSPR Self Service Password Reset Guide - fig.13
Azure AD SSPR Self Service Password Reset Guide – fig.13

You can scan the QR code using the Microsoft Authenticator app in the below window. This will connect the Microsoft Authenticator app to your account. After you scan the QR, choose Next.

In the 2nd window, you can prove who you are by texting a code to your phone. Enable the “Text me a code” and click the Next button from the below window.

Azure AD SSPR Self Service Password Reset Guide - fig.14
Azure AD SSPR Self Service Password Reset Guide – fig.14

You will get a 6-digit code to your mobile number and enter the code in the 1st below window. The 2nd screenshot shows the success message “Great job. You have successfully set up your security information. Click Done to continue signing in.

Azure AD SSPR Self Service Password Reset Guide - fig.15
Azure AD SSPR Self Service Password Reset Guide – fig.15

Click the Microsoft Online Password Reset hyperlink and sign in with your email id. The 2nd window shows the pre Authentication; enter the Mobile Number. You will then receive a text message with a verification code which can be used to reset your password.

Azure AD SSPR Self Service Password Reset Guide - fig.16
Azure AD SSPR Self Service Password Reset Guide – fig.16

You can enter a new password in the window below and click the Finish button. A strong password is required. Strong passwords are 8 to 256 characters and must combine uppercase and lowercase letters, numbers, and symbols. They cannot contain your username.

Note! – Once users have successfully registered their password through the SSPR process, it remains valid for 180 days. Users can confidently utilize their chosen passwords to access their accounts without interruptions. However, after 180 days, users must go through the password registration process again.

Azure AD SSPR Self Service Password Reset Guide - fig.17
Azure AD SSPR Self Service Password Reset Guide – fig.17

In the Microsoft Entra admin center, you can see that the Reset password (self-service) is successful, and the Self-service password reset flow activated is also successful.

Azure AD SSPR Self Service Password Reset Guide - fig.18
Azure AD SSPR Self Service Password Reset Guide – fig.18

Author

About Author Vidya is a computer enthusiast. She is here to share quick tips and tricks with Windows 11 or Windows 10 users. She loves writing on Windows 11 and related technologies. She is also keen to find solutions and write about day-to-day tech problems.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.