In this azure tutorial, we will discuss How to enable self-service password reset in Azure AD. Apart from this, we will also discuss the below topics
- Choose the authentication methods and registration options
- Configure notifications and customizations for SSPR
- Azure self-service password reset license
- Self-service password reset best practices
- What is password writeback Azure AD?
- Features Of Password Writeback Azure AD
- How do I enable writeback password in Azure?
- Which Azure AD role can reset the password?
Table of Contents
- How to enable self-service password reset in Azure AD
- SSPR Password Reset
- Choose the authentication methods and registration options
- Password reset Registration in Azure AD
- Configure notifications and customizations for SSPR
- Azure self-service password reset license
- Self-service password reset best practices
- What is password writeback Azure AD?
- Features Of Password Writeback Azure AD
- How do I enable writeback password in Azure?
- Which Azure AD role can reset the password?
How to enable self-service password reset in Azure AD
Well, let’s discuss How to enable self-service password reset in Azure AD. We can enable the Microsoft active directory self-service password reset(SSPR) option.
SSPR Password Reset
You need to follow the below steps to do that.
Step- 1:
Login to https://portal.azure.com/
Step-2:
Search for the “Azure Active Directory” and click on that.
Step-3:
From Azure Active Directory page, select the “Password reset” option under Manage from the left side menu.
Step-4:
From the Password-reset | Properties page, For the Self-service password reset enabled option, select the “Selected” option.
Select a group by selecting the Select group option –> you can search for your group name. In my case (TsinfoGroup)–>Then click on the Select button.
Step-5:
You can see TsInfoGroup is selected for me. Click on the Save button to enable the self-service password reset in Azure Active Directory.
So we discussed here How to enable self-service password reset in Azure AD in Azure Active Directory.
Choose the authentication methods and registration options
When you need to unlock your account or reset your password, you will be asked for an additional confirmation method.
You can choose which authentication methods you need to use
It is always suggested to use two or more authentication methods.
The available authentication methods are
- Mobile app notification
- Mobile app code
- Mobile phone
- Office phone
- Security questions
you can only reset your password if you have data present in the authentication methods
To select the authentication method, you need to follow the below steps
Step- 1:
Login to https://portal.azure.com/
Step-2:
Search for the “Azure Active Directory” and click on that.
Step-3:
From Azure Active Directory page, select the “Password reset” option under Manage from the left side menu.
Step-4:
From the Password-reset page, select the Authentication methods from the left side menu.
Select the Number of methods required to reset as 1 or 2
Tick the options from the below that you want to set
- Mobile app notification
- Mobile app code
- Mobile phone
- Office phone
- Security questions
To set the Security questions you need to tick the Security questions option. You can set 3,4 or 5 question for the below options
- Number of questions required to register
- Number of questions required to reset
Select the number of questions you want to configure and then click on the Select security questions option to configure the security questions.
Step-5:
Once you click on the Select security questions option, Select security questions window will open. Click on the + Predefined button.
From the Add predefined security questions section, you choose some questions on your choice and click on Ok button.
Along with the Predefined questions, you can also add some Custom questions on your Own.
To add the custom questions, click on the + Custom button. From the Add custom security questions section, type the security question text in the New custom security question option, and then select the Add button.
Finally click on the OK button.
Now click on the Ok button in the Select security questions window.
Step-6:
Now from the below window click on the Save button.
Password reset Registration in Azure AD
In order to unlock their account or reset a password, the users must register their contact information.
This contact information will be used for the above authentication methods.
To configure the users to be prompted for registration when they next sign, select the “Registration” option from the left menu. Select Yes for the Require users to register when signing in? option.
Select the Number of days before users are asked to re-confirm their authentication information option to 180 and then click on the Save button to apply the changes.
Configure notifications and customizations for SSPR
When an SSPR event happens, the users will get notified via email if you will configure the below information.
Click on the Notifications tab from the left side menu then set the below options
- Notify users on password resets? option to Yes.
- Notify all admins when other admins reset their password? option to Yes.
Then click on the Save button to apply the changes.
If you want to customize the link so that users can get additional help with the SSPR process, you can customize the link for “Contact your administrator”.
Click on the Customization tab, select the below options
- Customize helpdesk link to Yes.
- Custom helpdesk email or URL: Add a valid email id or a valid URL where user can see the additional information.
Click on the Save button to apply the changes.
Now the configuration for self-service password reset is over.
When user first-time login to Azure Portal, the user needs to enter the User Id and default password now the window to reset the password will open. You need to enter the new password and confirm password and click on Next then it will ask to configure the options like below: (Your organization needs more information to keep your account secure). Now click the Next button.
According to the authentication options, you have configured earlier steps, the below-like options your users were going to see.
Click Set it up now next to Authentication Phone is not configured. Here, I have configured my mobile number as below. Click on Verify.
Now your Authentication phone number is configured.
Also, I have configured the security questions like below: Click on the Save answers.
You can finish the set up, after configuring the two recovery options like below. Click on the Finish button.
After you finish setting up for self-service password reset, next time when user will try to click on Forgot my password like below:
It will ask the user to verify methods. Like you can verify using Text my mobile phone like below. Click on Next.
Also, it will ask the user to Answer security questions to reset the password.
User needs to do at least 2 authentication methods to reset password.
Once it is verified by the two authentication methods, it will ask the user to choose the new password like below:
Azure self-service password reset license
Basic SSPR features are available to Office 365 and all Azure AD users at no cost.
With full features, SSPR is licensed per user.
Standalone Office 365 licensing plans don’t support SSPR with on-premises writeback.
It is recommended group-based licensing for SSPR.
Below are few details
| Feature | Azure AD Free | Office 365 Business Premium | Microsoft 365 Business | Azure AD Premium P1 or P2 |
| Cloud-only user password change User in Azure AD knows their password and wants to change it to a new one. | Available | Available | Available | Available |
| Cloud-only user password reset User in Azure AD has forgotten their password and needs to reset it. | Available | Available | Available | |
| Hybrid user password change or reset with on-prem writeback User in Azure AD that’s synchronized from an on-premises wants to change or reset their password and also write the new password back to on-prem again. | Available | Available |
For more information on licensing, you can check the official site
Self-service password reset best practices
Below are few password reset best practices.
- Do not use easily guessable passwords.
- Use a complex password always.
- Do not allow any of the users to configure challenge questions.
- Use a long list of question challenges that are unlikely to have similar answers among different users.
- We can configure HTTPS for end-to-end security.
- Better to enable the Captcha support.
What is password writeback Azure AD?
Password writeback is an excellent feature that helps in the scenario when you are changing your password for your Azure AD in the cloud, which will automatically write back the password to your existing on-premises directory.
You can enable the password writeback feature via Azure AD Connect as well as SSPR.
Features Of Password Writeback Azure AD
Let’s discuss a few key features of Writeback Azure AD.
No-delay Response
While trying to change the password, if in case it didn’t meet the password policy or due to some reason you are not able to update your passwords, writeback feature helps you with an immediate notification on the detailed reason.
No inbound firewall rules needed
You don’t need any inbound firewall rule in case of Password writeback as all communication is outbound over port 443.
Ensures your password meets your on-premises AD DS policy
Once you are trying to reset your password, before updating, this feature ensures that the password enter by you meets your on-premises AD DS policy in terms of complexity, age, history, restrictions, etc.
How do I enable writeback password in Azure?
Follow the below steps to enable writeback password in for SSPR.
- Use your global admin account credentials to log in to Azure Portal.
- Once you have logged in to the portal, search for Azure Active Directory and click on the search result Azure Active Directory.
- Click on the Password reset from the left navigation –> Then select On-premises integration.
- Set Yes for the option Write back passwords to your on-premises directory?.
- Then set Yes for the option Allow users to unlock accounts without resetting their password?.
- Finally, click on the Save button to save the changes.
Which Azure AD role can reset the password?
If you are a non admin user, then Help desk admin can help you to reset the password.
You may like following Azure tutorials:
- Azure Domain name service
- Because of protocol error (code 0x112d) the remote session will be disconnected
- Azure AD group membership PowerShell
- How to create and add members to Azure Active Directory Group
- No match was found for the specified search criteria and module name ‘AzureAD’
Conclusion
In this Azure tutorial, We discussed
- How to enable self-service password reset in Azure AD
- Enable self-service password reset azure ad
- Choose the authentication methods and registration options
- Configure notifications and customizations for SSPR
- Azure self-service password reset license
- Self-service password reset best practices
- What is password writeback Azure AD?
- Features Of Password Writeback Azure AD
- How do I enable writeback password in Azure?
- Which Azure AD role can reset the password?
Hope you have enjoyed this article !!!