How to export Conditional Access policies? A Microsoft Entra tenant has multiple Conditional Access policies,…
Enable Self-Service Password Reset (SSPR)
We like to allow users to reset their Microsoft 365/Office 365 password. The feature we have to configure is Azure AD Self-Service Password Reset which is available for selected users or all users. In this article, you will learn how to enable Self-Service Password Reset (SSPR) for cloud-only or hybrid deployment environments.
Table of contents
Self-Service Password Reset (SSPR)
Before you start to implement Self-Service Password Reset (SSPR) for the users, it’s good to know where you need to enable SSPR:
- Cloud-only tenant: Enable SSPR in Azure AD
- Hybrid deployment: Enable SSPR in Azure AD and enable password writeback in Azure AD Connect
In the article, we will look at both the above options.
Note: Microsoft did create excellent Self-Service Password Reset rollout materials that you can download, edit and send to the users.
Self-Service Password Reset prerequisites
Ensure that you meet the below prerequisites before you enable Self-Service Password Reset:
- A working Azure AD tenant with at least an Azure AD free or trial license enabled
- An account with Global Administrator or Authentication Policy Administrator privileges
- In the Free tier, SSPR only works for cloud users in Azure AD (see table below)
- Password change is supported in the Free tier, but password reset is not (see table below)
- You need an Azure AD Premium P1 or trial license for on-premises password writeback (see table below)
Self-Service Password Reset license requirements
Check which Self-Service Password Reset features are available for your organization license in the below table:
| Feature | Azure AD Free | Microsoft 365 Business Standard | Microsoft 365 Business Premium | Azure AD Premium P1 or P2 |
|---|---|---|---|---|
| Cloud-only user password change When a user in Azure AD knows their password and wants to change it to something new. | ✓ | ✓ | ✓ | ✓ |
| Cloud-only user password reset When a user in Azure AD has forgotten their password and needs to reset it. | ☓ | ✓ | ✓ | ✓ |
| Hybrid user password change or reset with on-prem writeback When a user in Azure AD that’s synchronized from an on-premises directory using Azure AD Connect wants to change or reset their password and also write the new password back to on-prem. | ☓ | ☓ | ✓ | ✓ |
How to enable Self-Service Password Reset in Azure AD
To enable Self-Service Password Reset in cloud only tenant, follow the below steps:
- Sign in to Microsoft Azure portal
- Click on Menu > Azure Active Directory
- Click on Password reset
- Click on Properties
- Select All and Save
Note: We recommend you enable Self-Service Password Reset for All users. It’s one of the recommendations from the Microsoft Secure Score.
You did successfully configure Self-Service Password Reset for the cloud-only tenant.
The users can register for Self-Service Password Reset from the link https://aka.ms/ssprsetup. After it’s set up, they can use the link https://aka.ms/sspr to reset their password.
Do you have a hybrid deployment (on-premises and cloud)? Follow the next step.
How to enable Self-Service Password Reset in Hybrid deployment
To enable Self-Service Password Reset in Hybrid deployment, follow these steps:
1. Enable Self-Service Password Reset in Azure AD
Make sure you enable Self-Service Password Reset in Azure, as shown in the previous step, before you proceed further and enable password writeback feature in Azure AD Connect.
2. Enable password writeback in Azure AD Connect
- Sign in to Azure AD Connect on-premises server
- Start the application Azure AD Connect
- On the setup wizard welcome screen, click on Configure
- Click Customize synchronization options
- Click Next
- Enter your Azure AD global administrator credentials
- Click Next
- Click a couple of times on Next to go through the wizard till you reach the Optional Features screen
- Check the checkbox Password writeback
- Click Next
- Click Configure
- The configuration did complete successfully.
- Click Exit
- Sign in to Microsoft Azure portal
- Navigate to Azure AD password reset
- Select On-premises integration
- It shows the message: Your on-premises writeback client is up and running
You did successfully configure Self-Service Password Reset for the Hybrid environment.
The users can register for Self-Service Password Reset from the link https://aka.ms/ssprsetup. After it’s set up, they can use the link https://aka.ms/sspr to reset their password.
Read more: Secure MFA and SSPR registration with Conditional Access »
Conclusion
You learned how to enable Self-Service Password Reset. Enable SSPR in Azure Active Directory if you have a cloud-only tenant. Do you have a hybrid environment? Enable SSPR in Azure Active Directory and enable password writeback in Azure AD Connect.
Help the service desk team and configure Self-Service Password Reset. They will get fewer phone calls with requests to reset the user password. Once the users call, they can redirect them to the SSPR URL. The users will reset their own password, which will take less time and effort from the service desk.
Did you enjoy this article? You may also like Configure Microsoft Entra Password Protection for on-premises. Don’t forget to follow us and share this article.
What Others Are Reading
hello, is it still needed to adjust the security rights on the service account that is used for azure connect or not ? if so maybe place a link what you need to do extra when you have a hybrid setup.
You only have to follow the steps outlined in “How to enable Self-Service Password Reset in Hybrid deployment”, and you are good.
There is no security rights adjustment that you need to set for the service account.