If you have worked at an IT help desk, you know most of the calls are for user password reset. Self-service password reset (SSPR) allows users to reset their passwords using a set of authentication methods set by the cloud administrators.
Self-service password reset is always enabled to administrators to avoid lock-out scenarios. Admins need to use two authentication methods for password reset.
Enabling Self-Service Password Reset
Cloud administrators need to enable SSPR options for users or groups as this option is not enabled by default. To enable this feature, you need to have the Global Administrator role in the tenant.
SSPR can be enabled from Azure Portal >Microsoft Entra ID >Default Directory >Password Reset.
SSPR provides three options:
1)None: SSPR is not enabled.
2)Selected: SSPR is enabled for selected groups.
3)All: SSPR is enabled for all users in the tenant.
Once SSPR is enabled, users need to register for SSPR. Azure will automatically redirect users to the registration page on first sign-in
after SSPR is enabled. Users can always navigate
to https://aka.ms/ssprsetup to set up their authentication methods or to change them in the future.
For example, you might have registered with one phone number when you
enrolled for SSPR, but you changed your phone number. In this case, you can change it by going to the SSPR setup page.
Registered users can always reset the password from the sign-in
page by clicking “Can’t access your account?” as shown here below
It is not necessary that you navigate to Azure Portal to click “Can’t access your account?”; you can navigate to any sign-in page that uses Azure AD login like Office 365, Dynamic 365, SharePoint, etc.
Users can also navigate to the reset page directly by going to https://aka.ms/sspr.
This is an alias for the following:
https://passwordreset.microsoftonline.com
Now that you are familiar with SSPR setup, let’s see what authentication methods are available for the users and how administrators can control these methods.
Authentication Methods
The administrator can choose the number of authentication methods required to reset the password and the number of methods available for users.
For a successful reset operation, you require at least one authentication method. Nevertheless, it is always better to have a secondary method. For example, if you set up SSPR with an email method, and if the user has no email access, then the user will not be able to reset the password.
Here, it is better to have a second option like a mobile phone so that the user can receive the code as a text message and complete the authentication.
Methods available include the following:
- Email notification
- Text message to mobile phone
- Text message to office phone
- Mobile app notification
- Mobile app code
- Security questions
In the case of security questions, the administrator can decide how many questions need to be registered and how many of them need to be answered to reset the password. Nonetheless, security questions are considered less secure as the answers to these questions can be guessed if the intruder or hacker knows the user personally. Attackers can also collect answers for these questions via social engineering.
Authentication methods can be configured from Azure Portal ➢ Microsoft Entra ID ➢ Password Reset ➢ Authentication Methods
So far, we concentrated on a single-tenant environment; in real-world
scenarios there will be different tenants, and admins are responsible for the management of these tenants. Let’s see on the next post why we need multiple directories and what benefits it provides.