In this Azure tutorial, we will discuss How to enable self-service password reset in Azure AD. Apart from this, we will also discuss the below topics
- Choose the authentication methods and registration options
- Configure notifications and customizations for SSPR
- Azure self-service password reset license
- Self-service password reset best practices
- FAQs
Table of Contents
- How to enable self-service password reset in Azure AD
- SSPR Password Reset
- Choose the authentication methods and registration options
- Password reset Registration in Azure AD
- Configure notifications and customizations for SSPR
- Azure self-service password reset license
- Self-service password reset best practices
- FAQs
How to enable self-service password reset in Azure AD
Well, let’s discuss How to enable self-service password reset in Azure AD. We can enable the Microsoft active directory self-service password reset(SSPR) option.
SSPR Password Reset
You need to follow the below steps to do that.
Step- 1:
Login to https://portal.azure.com/
Step-2:
Search for the “Azure Active Directory” and click on that.
Step-3:
From the Azure Active Directory page, select the “Password reset” option under Manage from the left side menu.
Step-4:
From the Password-reset | Properties page, For the Self-service password reset enabled option, select the “Selected” option.
Select a group by selecting the Select group option –> you can search for your group name. In my case (TsinfoGroup)–>Then click on the Select button.
Step-5:
You can see TsInfoGroup is selected for me. Click on the Save button to enable the self-service password reset in Azure Active Directory.
So we discussed here How to enable self-service password reset in Azure AD in Azure Active Directory.
Choose the authentication methods and registration options
When you need to unlock your account or reset your password, you will be asked for an additional confirmation method.
You can choose which authentication methods you need to use
It is always suggested to use two or more authentication methods.
The available authentication methods are
- Mobile app notification
- Mobile app code
- Mobile phone
- Office phone
- Security Questions
you can only reset your password if you have data present in the authentication methods
To select the authentication method, you need to follow the below steps
Step- 1:
Login to https://portal.azure.com/
Step-2:
Search for the “Azure Active Directory” and click on that.
Step-3:
From the Azure Active Directory page, select the “Password reset” option under Manage from the left side menu.
Step-4:
From the Password-reset page, select the Authentication methods from the left side menu.
Select the Number of methods required to reset as 1 or 2
Tick the options the below that you want to set
- Mobile app notification
- Mobile app code
- Mobile phone
- Office phone
- Security Questions
To set the Security questions you need to tick the Security questions option. You can set 3,4 or 5 questions for the below options
- Number of questions required to register
- Number of questions required to reset
Select the number of questions you want to configure and then click on the Select security questions option to configure the security questions.
Step-5:
Once you click on the Select security questions option, the Select security questions window will open. Click on the + Predefined button.
From the Add predefined security questions section, you choose some questions on your choice and click on the Ok button.
Along with the Predefined questions, you can also add some Custom questions on your own.
To add the custom questions, click on the + Custom button. From the Add custom security questions section, type the security question text in the New custom security question option, and then select the Add button.
Finally, click on the OK button.
Now click on the Ok button in the Select security questions window.
Step-6:
Now from the below window click on the Save button.
Password reset Registration in Azure AD
In order to unlock their account or reset a password, the users must register their contact information.
This contact information will be used for the above authentication methods.
To configure the users to be prompted for registration when they next sign, select the “Registration” option from the left menu. Select Yes for the Require users to register when signing in? option.
Select the Number of days before users are asked to re-confirm their authentication information option to 180 and then click on the Save button to apply the changes.
Configure notifications and customizations for SSPR
When an SSPR event happens, the users will get notified via email if you will configure the below information.
Click on the Notifications tab from the left side menu then set the below options
- Notify users on password resets? option to Yes.
- Notify all admins when other admins reset their password? option to Yes.
Then click on the Save button to apply the changes.
If you want to customize the link so that users can get additional help with the SSPR process, you can customize the link for “Contact your administrator”.
Click on the Customization tab, select the below options
- Customize helpdesk link to Yes.
- Custom helpdesk email or URL: Add a valid email id or a valid URL where the user can see the additional information.
Click on the Save button to apply the changes.
Now the configuration for self-service password reset is over.
When the user first-time login in to Azure Portal, the user needs to enter the User Id and default password now the window to reset the password will open. You need to enter the new password and confirm the password and click on Next then it will ask you to configure the options below: (Your organization needs more information to keep your account secure). Now click the Next button.
According to the authentication options, you have configured in earlier steps, the below-like options your users were going to see.
Click Set it up now next to Authentication Phone is not configured. Here, I have configured my mobile number as below. Click on Verify.
Now your Authentication phone number is configured.
Also, I have configured the security questions like below: Click on the Save answers.
You can finish the setup, after configuring the two recovery options below. Click on the Finish button.
After you finish setting up for self-service password reset, the next time when user will try to click on Forgot my password like below:
It will ask the user to verify methods. You can verify using Text my mobile phone like below. Click on Next.
Also, it will ask the user to Answer security questions to reset the password.
The user needs to do at least 2 authentication methods to reset the password.
Once it is verified by the two authentication methods, it will ask the user to choose a new password like below:
Azure self-service password reset license
Basic SSPR features are available to Office 365 and all Azure AD users at no cost.
With full features, SSPR is licensed per user.
Standalone Office 365 licensing plans don’t support SSPR with on-premises writeback.
It is recommended group-based licensing for SSPR.
Below are few details
| Feature | Azure AD Free | Office 365 Business Premium | Microsoft 365 Business | Azure AD Premium P1 or P2 |
| Cloud-only user password change User in Azure AD knows their password and wants to change it to a new one. | Available | Available | Available | Available |
| Cloud-only user password reset User in Azure AD has forgotten their password and needs to reset it. | Available | Available | Available | |
| Hybrid user password change or reset with on-prem writeback User in Azure AD that’s synchronized from an on-premises wants to change or reset their password and also write the new password back to on-prem again. | Available | Available |
For more information on licensing, you can check the official site
Self-service password reset best practices
Below are a few password reset best practices.
- Do not use easily guessable passwords.
- Use a complex password always.
- Do not allow any of the users to configure challenge questions.
- Use a long list of question challenges that are unlikely to have similar answers among different users.
- We can configure HTTPS for end-to-end security.
- Better to enable Captcha support.
FAQs
Which Azure AD role can reset the password?
If you are a non-admin user, then the Help Desk admin can help you to reset the password.
You may like the following Azure tutorials:
- Azure AD group membership PowerShell
- How to create and add members to Azure Active Directory Group
- No match was found for the specified search criteria and module name ‘AzureAD’
Conclusion
In this Azure tutorial, We discussed
- How to enable self-service password reset in Azure AD
- Enable self-service password reset azure ad
- Choose the authentication methods and registration options
- Configure notifications and customizations for SSPR
- Azure self-service password reset license
- Self-service password reset best practices
- FAQs
Hope you have enjoyed this article !!!