How to enable self-service password reset in Azure AD

How to enable self-service password reset in Azure AD

In this Azure tutorial, we will discuss How to enable self-service password reset in Azure AD. Apart from this, we will also discuss the below topics

  • Choose the authentication methods and registration options
  • Configure notifications and customizations for SSPR
  • Azure self-service password reset license
  • Self-service password reset best practices
  • FAQs

How to enable self-service password reset in Azure AD

Well, let’s discuss How to enable self-service password reset in Azure AD. We can enable the Microsoft active directory self-service password reset(SSPR) option.

SSPR Password Reset

You need to follow the below steps to do that.

Step- 1: 

Login to https://portal.azure.com/

Step-2:

Search for the Azure Active Directory and click on that.

Enable self-service password reset azure ad

Step-3:

From the Azure Active Directory page, select the “Password reset” option under Manage from the left side menu.

how to enable self-service password reset azure ad

Step-4:

From the Password-reset | Properties page, For the Self-service password reset enabled option, select the “Selected” option.

Select a group by selecting the Select group option –> you can search for your group name. In my case (TsinfoGroup)–>Then click on the Select button.

Microsoft active directory self-service password reset

Step-5:

You can see TsInfoGroup is selected for me. Click on the Save button to enable the self-service password reset in Azure Active Directory.

How to enable self service password reset policy in Azure Active Directory

So we discussed here How to enable self-service password reset in Azure AD in Azure Active Directory.

Choose the authentication methods and registration options

When you need to unlock your account or reset your password, you will be asked for an additional confirmation method.

You can choose which authentication methods you need to use

It is always suggested to use two or more authentication methods.

The available authentication methods are

  • Mobile app notification
  • Mobile app code
  • Email
  • Mobile phone
  • Office phone
  • Security Questions

you can only reset your password if you have data present in the authentication methods

To select the authentication method, you need to follow the below steps

Step- 1: 

Login to https://portal.azure.com/

Step-2:

Search for the “Azure Active Directory” and click on that.

Enable self-service password reset azure ad

Step-3:

From the Azure Active Directory page, select the “Password reset” option under Manage from the left side menu.

how to enable self-service password reset azure ad

Step-4:

From the Password-reset page, select the Authentication methods from the left side menu.

Select the Number of methods required to reset as 1 or 2

Choose the authentication methods and registration options

Tick the options the below that you want to set

  • Mobile app notification
  • Mobile app code
  • Email
  • Mobile phone
  • Office phone
  • Security Questions

To set the Security questions you need to tick the Security questions option. You can set 3,4 or 5 questions for the below options

  • Number of questions required to register
  • Number of questions required to reset

Select the number of questions you want to configure and then click on the Select security questions option to configure the security questions.

Choose the authentication methods and registration options in Azure

Step-5:

Once you click on the Select security questions option, the Select security questions window will open. Click on the + Predefined button.

From the Add predefined security questions section, you choose some questions on your choice and click on the Ok button.

how to choose the authentication methods and registration options

Along with the Predefined questions, you can also add some Custom questions on your own.

To add the custom questions, click on the + Custom button. From the Add custom security questions section, type the security question text in the New custom security question option, and then select the Add button.

Finally, click on the OK button.

how to configure the authentication methods and registration options

Now click on the Ok button in the Select security questions window.

Step-6:

Now from the below window click on the Save button.

how to set the authentication methods and registration options

Password reset Registration in Azure AD

In order to unlock their account or reset a password, the users must register their contact information.

This contact information will be used for the above authentication methods.

To configure the users to be prompted for registration when they next sign, select the “Registration” option from the left menu. Select Yes for the Require users to register when signing in? option.

Select the Number of days before users are asked to re-confirm their authentication information option to 180 and then click on the Save button to apply the changes.

configure the users to be prompted for registration when they next sign in

Configure notifications and customizations for SSPR

When an SSPR event happens, the users will get notified via email if you will configure the below information.

Click on the Notifications tab from the left side menu then set the below options

  • Notify users on password resets? option to Yes.
  • Notify all admins when other admins reset their password? option to Yes.

Then click on the Save button to apply the changes.

Configure notifications and customizations for SSPR

If you want to customize the link so that users can get additional help with the SSPR process, you can customize the link for “Contact your administrator”.

Click on the Customization tab, select the below options

  • Customize helpdesk link to Yes.
  • Custom helpdesk email or URL: Add a valid email id or a valid URL where the user can see the additional information.

Click on the Save button to apply the changes.

How to configure notifications and customizations for SSPR

Now the configuration for self-service password reset is over.

When the user first-time login in to Azure Portal, the user needs to enter the User Id and default password now the window to reset the password will open. You need to enter the new password and confirm the password and click on Next then it will ask you to configure the options below: (Your organization needs more information to keep your account secure). Now click the Next button.

Your organization needs more information to keep your account secure

According to the authentication options, you have configured in earlier steps, the below-like options your users were going to see.

Azure self-service password reset license

Click Set it up now next to Authentication Phone is not configured. Here, I have configured my mobile number as below. Click on Verify.

Password reset Registration in Azure AD

Now your Authentication phone number is configured.

set self-service password reset azure ad

Also, I have configured the security questions like below: Click on the Save answers.

how to set self-service password reset azure ad

You can finish the setup, after configuring the two recovery options below. Click on the Finish button.

how to enable self-service password reset azure ad

After you finish setting up for self-service password reset, the next time when user will try to click on Forgot my password like below:

How to Enable self-service password reset azure active directory

It will ask the user to verify methods. You can verify using Text my mobile phone like below. Click on Next.

How to set self-service password reset azure active directory

Also, it will ask the user to Answer security questions to reset the password.

The user needs to do at least 2 authentication methods to reset the password.

How to set self-service password reset azure active directory

Once it is verified by the two authentication methods, it will ask the user to choose a new password like below:

how to set self-service password reset azure

Azure self-service password reset license

Basic SSPR features are available to Office 365 and all Azure AD users at no cost.

With full features, SSPR is licensed per user.

Standalone Office 365 licensing plans don’t support SSPR with on-premises writeback.

It is recommended group-based licensing for SSPR.

Below are few details

FeatureAzure AD FreeOffice 365 Business PremiumMicrosoft 365 BusinessAzure AD Premium P1 or P2
Cloud-only user password change
User in Azure AD knows their password and wants to change it to a new one.
Available AvailableAvailableAvailable
Cloud-only user password reset
User in Azure AD has forgotten their password and needs to reset it.
AvailableAvailableAvailable
Hybrid user password change or reset with on-prem writeback
User in Azure AD that’s synchronized from an on-premises wants to change or reset their password and also write the new password back to on-prem again.
AvailableAvailable

For more information on licensing, you can check the official site

Self-service password reset best practices

Below are a few password reset best practices.

  • Do not use easily guessable passwords.
  • Use a complex password always.
  • Do not allow any of the users to configure challenge questions.
  • Use a long list of question challenges that are unlikely to have similar answers among different users.
  • We can configure HTTPS for end-to-end security.
  • Better to enable Captcha support.

FAQs

Which Azure AD role can reset the password?

If you are a non-admin user, then the Help Desk admin can help you to reset the password.

You may like the following Azure tutorials:

Conclusion

In this Azure tutorial, We discussed

  • How to enable self-service password reset in Azure AD
  • Enable self-service password reset azure ad
  • Choose the authentication methods and registration options
  • Configure notifications and customizations for SSPR
  • Azure self-service password reset license
  • Self-service password reset best practices
  • FAQs

Hope you have enjoyed this article !!!