Configure self-service password reset
The password reset is one of the highest cost-incurring activities for many organizations, and many organizations have dedicated front-line help desks to handle such requests. Self-service password reset (SSPR) allows users to reset their own passwords in Microsoft Entra ID, including the ability to optionally write the password back to an on-premises environment when prop- erly licensed and configured by using password writeback and Entra Connect or Entra Connect Sync. SSPR allows users to change their passwords, reset their passwords when they cannot sign in, and unlock their accounts, all without the intervention of an IT department.
Each scenario above addresses both cloud-only and hybrid users. Also, licensing requirements vary. Table 1-1 details each scenario, the type of user it applies to, and any required licenses.
TABLE 1-1 Self-service password reset license requirements
Scenario | User Type | License Requirements |
Password Change | Cloud-only user | Included in all license types of Entra ID |
Password Reset | Cloud-only user | Microsoft 365 Business Standard, Microsoft 365 Business Premium, Entra ID P1, Entra ID P2 |
Password Change/Unlock/Reset | Hybrid user | Microsoft 365 Business Premium, Entra ID P1, Entra ID P2 |
SSPR can be enabled through the Azure portal by browsing to your Entra tenant and selecting Password Reset. When enabling SSPR, you can scope the functionality to a group, which will allow you to roll out the feature in waves as users are onboarded into the service. As a part of configuration, you will also select the Authentication Methods for SSPR: Mobile App Notification, Mobile App Code, Email, Mobile Phone, Office Phone, and/or Security Questions (as shown in Figure 1-13). Finally, using the Registration blade, you will configure registra-tion options such as whether registration is required to use SSPR and the number of days for reconfirmation.
FIGURE 1-13 Configure SSPR authentication methods
Additionally, you can also control how notifications are triggered to users and admins using the Notifications blade. There is an option available to customize a helpdesk link to notify the administrator directly, which can be configured using the Customization blade. If on-premises integration is enabled, you can also control writeback passwords to your on-premises directory and allow users to unlock accounts without resetting their passwords using the On-Premises Integration blade.