As a Microsoft 365 administrator, to reduce the support costs and help users become more self-sufficient, you can allow users to register for a self-service password reset (SSPR). With SSPR, users no longer need to contact the organization’s IT support to reset the passwords. Microsoft will send out a code for user to reset password by themselves.
In this how-to article, we will outline the SSPR setup steps in detail including register the user account for self-service password reset, provide the authentication methods for user to choose when requires to reset password.
Table of Contents
Content Summary
Basic information required for Microsoft 365 user account
Enable self-service password reset SSPR in Microsoft 365 admin center
Setup Authentication methods for users in Azure AD
Available authentication methods
Provide Authentication contact info for user in Azure AD
Conclusion
Basic information required for Microsoft 365 user account
The basic information such as First Name, Last Name, Display Name, username should be provided when creating user account in Microsoft 365 admin center. The following 2 options enabled by default for new user account:
- Automatically create a password
- Require this user to change their password when they first sign-in
Since Automatically create a password option enabled by default, Microsoft automatically generates a strong password for you to share it with the user to perform successful login.
If the user forgets the password, administrator can select the particular user in Microsoft 365 admin center, then click on the Reset password button to reset the password and share the new password with the user.
For a bigger organization, it is more efficient to change the user’s password by their own using self-service password reset feature if they want to change or whenever they forget the password.
Enable self-service password reset SSPR in Microsoft 365 admin center
Step 1: Login to Microsoft 365 admin center with the global administrator account.
Step 2: Click on the Setup option from the left menu.
Step 3: Under the Sign-in and security section, you can see the option Let users reset their own passwords with the status as Not started yet. This status means that you have not yet set up the self-service registration.
Step 4: Click on the link Let users reset their passwords to open a new setup wizard.
Step 5: Click on the Get Started button.
Step 6: Microsoft Azure portal will open in a new browser tab. Make sure you save your selections for each setting:
- In Password reset > Properties, choose All to let everyone reset their own passwords or Selected to choose specific groups.
- In Password reset > Authentication methods, choose how many and which methods people can use to identify themselves when they reset passwords. For example, they can use a mobile authentication app, or get a code sent to their mobile phone, office phone, or email.
Step 7: The Azure Password reset menu blade will be opened, and shows no users are selected for a self-service password reset. You need to decide to select all users or particular users. This designates whether users in this directory can reset their passwords. Choose Selected to restrict password reset to a limited group of users or choose All for all the users in the Azure Directory.
Step 8: Click on the Save option and the notification Password reset policy saved will show.
Self-service password reset SSPR is now enabled for all users.
Setup Authentication methods for users in Azure AD
We can enable various available authentication methods for registered users to reset their passwords without any IT helpdesk help.
Step 8: In the Password reset menu blade, click on the Authentication methods from the left menu in the Azure AD.
Step 9: You can define one or two of authentication methods required to reset or unlock the password. It is highly recommended that users register two or more authentication methods so they have more flexibility in case they’re unable to access one method when they need it.
Available authentication methods
Email: Reset instructions are initiated through the SSPR portal to primary and secondary email provided in the Azure AD, and self-service password reset can be done by SSPR password reset workflow.
Mobile phone: Execute SSPR password reset process as above with Mobile OTP authentication. Mobile number should be configured for the user in Azure AD.
Office phone: Execute SSPR password reset process as above with Office Phone no authorization.
The following considerations apply for authentication contact info:
- If the Phone field is populated and the Mobile phone is enabled in the SSPR policy, the user sees that number on the password reset registration page and during the password reset workflow.
- If the Email field is populated and Email is enabled in the SSPR policy, the user sees that email on the password reset registration page and during the password reset workflow.
Security questions: Settings for security questions for Registering & resetting.
Administrator can define the number of security questions that must be answered by the user for registering the SSPR. This setting defines the minimum number of security questions a user must select and answer when registering for a password reset. Usually, the number of questions will be 3 or 4 or 5.
Administrator can also define the number of security questions that must be answered by the user for resetting the password. This setting defines the number of randomly-selected security questions a user must answer when resetting a password.
Note: The number of questions a user must-have for the registration must be greater than or equal to the number of questions a user must have to reset a password.
You could also use Mobile app notification as authentication method. Mobile device should be registered by download and install Microsoft Authenticator app, and on each authentication time, you should approve on the mobile device.
Provide Authentication contact info for user in Azure AD
Once the setup for Authentication methods to follow SSPR completed, administrator can distribute the authentication contact info details to users.
Follow below steps to set the phone numbers and email addresses that users use to perform multi-factor authentication and self-service password reset, and reset user’s password.
Step 1: Select the individual user’s Azure AD properties.
Step 2: Click the Authentication methods option under the Manage section.
Step 3: Click the Add authentication method option.
Step 4: Choose the method either a Phone number or email, provide a valid email ID or phone number.
Step 5: Click on the Add button.
This will allow the user to receive one-time-use code via email or phone for self-service password reset. You should also set alternate email on the individual user’s profile section in the same user details menu blade.
The user has configured his email id and phone number to get the OTP to initiate the SSPR reset workflow, when he wants to change the password without any IT helpdesk assistance.
Conclusion
Self-Service Password Reset (SSPR) is an Azure Active Directory (AD) feature that enable users to reset their passwords without contacting IT staff for assistance. The users can quickly unlock themselves and continue to work no matter where they are or the time of day. The organization can improve productivity and avoid high support costs for common password-related process. Self-service allows the end-users to reset their expired or non-expired passwords without contacting administrator or helpdesk for support.