Self-service password reset (SSPR) in Azure AD

  1. Home
  2. Self-service password reset (SSPR) in Azure AD

Go back to Tutorial

In this tutorial, we will learn about Self-service password reset (SSPR) in Azure AD including the various authentication methods.

Self-service password reset (SSPR) is an Azure AD feature that allows users to modify or reset their passwords without the intervention of an administrator or help desk. That is, if a user’s account is locked or they forget their password, they may reset it and go back to work by following a prompt. There are various advantages to self-service password reset:

  • Firstly, it increases security, as help desks add an extra security layer.
  • Secondly, it saves the organization money by reducing the number of calls and requests to help desk staff.
  • Lastly, it increases productivity, allowing the user to return to work faster.

Further, Self-service password reset works in the following scenarios:

  • Firstly, Password change. This is when a user knows their password but wants to change it to something new.
  • Secondly, Password reset. This is when a user can’t sign in, such as when they forget the password and want to reset it.
  • Lastly, the Account unlocks. When a user can’t sign in because their account is locked out.

However, to use self-service password reset, users must be:

  • Firstly, assigned an Azure AD license.
  • Secondly, enabled for SSPR by an administrator.
  • Lastly, registered, with the authentication methods they want to use.
Practice tests Self-service password reset (SSPR) in Azure AD
Authentication methods

When a user is enabled for SSPR, at least one authentication method must be registered. However, we recommend that you utilise two or more authentication methods so that your users have additional options if one way is unavailable when they need it.

The following authentication methods are available for SSPR:

  • Mobile app notification
  • Mobile app code
  • Email
  • Mobile phone
  • Office phone
  • Security questions
Number of authentication methods required

You can configure the number of the available authentication methods a user must provide to reset or unlock their password. This value can be set to either one or two. However, users can, and should, register multiple authentication methods. Again, we recommend that users register two or more authentication methods so they have more flexibility in case they’re unable to access one method when they need it.

When a user tries to use SSPR without having the appropriate number of methods registered, an error page appears, instructing them to request a password reset from an administrator.

Mobile app and SSPR

When using a mobile app as a method for a password reset, like the Microsoft Authenticator app, the following considerations apply:

  • Firstly, when administrators require one method for resetting a password, a verification code is the only option available.
  • Secondly, when administrators require two methods for resetting a password, users are able to use notification OR verification code in addition to any other enabled methods.
Notifications

SSPR allows you to customise notifications for both users and identity administrators to improve password event awareness.

Notify users of password resets

Users who reset their passwords will get an email telling them that their password has been changed if this option is set to Yes. The email is delivered to their primary and alternate email accounts in Azure AD using the SSPR interface.

Notify all admins when other admins reset their passwords

If Yes is selected for this option. All other Azure administrators then get an email to their primary email address in Azure AD. Furthermore, the email informs them that their password has been changed using SSPR by another administrator.

Consider the following example scenario:

  • Firstly, there are four administrators in an environment.
  • Secondly, administrator A resets their password by using SSPR.
  • Lastly, administrators B, C, and D receive an email alerting them of the password reset.
Password reset for B2B users

All business-to-business (B2B) configurations fully support password reset and change. B2B user password reset supports three cases:

  • Firstly, users from a partner organization with an existing Azure AD tenant. If the organization you partner with has an existing Azure AD tenant, we respect whatever password reset policies are enabled on that tenant. For password reset to work, the partner organization needs to enable Azure AD SSPR.
  • Secondly, users who sign up through self-service sign-up. If the organization you partner with used the self-service sign-up feature to get into a tenant, we let them reset the password with the email they registered.
  • Lastly, B2B users. Any new B2B users created by using the new Azure AD B2B capabilities can also reset their passwords with the email they registered during the invite process.
sc-900 online course

Reference: Microsoft Documentation, Doc 2

Go back to Tutorial

Menu