In this post we will describe the concept of SSPR (self service password reset) and the way to implement it in Azure.
Table of Contents
What is SSPR?
Many times helpdesk or administrators should perform a password reset for the end users either because they forgot their passwords or their account was locked out. Microsoft offers Self service password reset capability (SSPR) to remove this responsibility from the IT department.
With SSPR, users can reset their passwords in a web browser or from a Windows sign-in screen on their own to regain access to Azure, Microsoft 365, and any other application that uses Azure AD for authentication. SSPR reduces the load on administrators, since end-users can fix password problems themselves, without having to call the help desk. It also minimizes the productivity impact of a forgotten or expired password. Users don’t have to wait until an administrator is available to reset their password.
Requirements for using SSPR
SSPR requires specific licenses. An organization you can use SSPR in Azure AD Premium P1 or P2. It’s also available with Microsoft 365 Apps for business or Microsoft 365.
SSPR Implementation
SSPR allows users to reset their passwords after requesting for verification of their identity by using various alternative methods.
As per Microsoft the following authentication methods are available:
| Authentication method | How to register | How to authenticate for a password reset |
|---|---|---|
| Mobile app notification | Install the Microsoft Authenticator app on your mobile device, and then register it on the multifactor authentication setup page. | Azure sends a notification to the app, which you can either verify or deny. |
| Mobile app code | This method also uses the Authenticator app, and you install and register it in the same way. | Enter the code from the app. |
| Provide an email address that’s external to Azure and Microsoft 365. | Azure sends a code to the address, which you enter in the reset wizard. | |
| Mobile phone | Provide a mobile phone number. | Azure sends a code to the phone in an SMS message, which you enter in the reset wizard. Or, you can choose to get an automated call. |
| Office phone | Provide a non mobile phone number. | You receive an automated call to this number and press #. |
| Security questions | Select questions such as “In what city was your mother born?” and save responses to them. | Answer the questions. |
In free and trial Azure AD organizations, phone call options aren’t supported.
Let’s explore how we can implement SSPR on our tenant.
First navigate to Azure and search for Password reset.
Navigate to the Properties blade from the left pane and select the scope of SSPR. SSPR can be disabled, applied to specific user groups or to all users. In our case, we select all users.
Now SSPR is enabled for all users. Let’s define the authentication methods. Navigate to Authentication methods to see the available options.
As you can see, the predefined options, require one method to reset and Email or Mobile phone as the method. Let’s change it to enforce two methods.
Now the SSPR is enabled and the methods for resetting are defined. The next step is to enforce end-users to register to SSPR the next time they perform a login. Go to the Registration blade to define the above behavior.
We want to inform the end user for every password change they perform through SSPR. To do this go to the Notifications blade and select the desired settings.
The SSPR is ready. Let’s find out what the end-user experience looks like.
End-user experience: SSPR Registration
A user in our organization performs a login after we have enabled SSPR. After they have entered their email and password successfully a prompt that More information required is shown.
By clicking next in the above screen, the user is prompted to setup the two authentication methods defined in the SSPR configuration. In our case Mobile app notification through the Authenticator app and Mobile phone registration.
After the user has configured the two above methods, they will be able to use SSPR whenever their password is forgotten or their account is locked out.
End-user experience: SSPR use
For demonstration purposes let’s suppose that a user wants to unlock their account or reset their password. The only thing they should do is navigate to SSPR link and enter their email and authenticate with the registered authentication methods.
By entering their email and the characters shown, the user is prompted to authenticate through the registered methods and enter a new password.
References and documentation:
- How it works: Azure AD self-service password reset
- Plan an Azure Active Directory self-service password reset deployment
Check the below posts to find out more on how to protect you data: