Give users the possibility to reset their passwords in the AAD using SSPR!

Why users should call HelpDesk to reset OWN passwords in the Azure AD? They shouldn’t!

Users should have the possibility to reset their passwords in the AAD without any interaction from a local helpdesk.

In the Azure AD, there is a possibility to enable a function named SSPR – Self Service Password Reset. It allows users to first configure authentification methods, after that – reset the password.

There are a couple of requirements, what you need to enable to get this function working, so don’t waste your time and start configuring it!

Administrator view

The first thing which I do was creating a new AAD group and add test user to this group. Why I do that? NEVER enable function like this one globally, without previous tests.

Just don’t do this.

Give users the possibility to reset their passwords in the AAD using SSPR!

The second thing which I do was opening AAD Portal > Password reset and enable this function for my specific group.

Give users the possibility to reset their passwords in the AAD using SSPR!

The next thing which you should configure is Authentication methods. On this tab, you should configure how many methods of reset users should perform.

In my case – I selected one option and allowed users to configure multiple reset options. Also, I selected questions to register by users to perform a reset. You can enable pre-defined questions or add your own.

Give users the possibility to reset their passwords in the AAD using SSPR!

On the Customization you can add your link for instruction on how to use SSPR and on the Notifications tab – you can select if you want to notify users that their password was reset.

From the Administrator’s view – it will be everything.

End-User view

End-User to configure methods required to do SSPR need to visit the site https://aka.ms/ssprsetup and log in.

After successful login, the user should see that kind of message:

Give users the possibility to reset their passwords in the AAD using SSPR!

After going to the next step, the user should configure Microsoft Authenticator or another application for codes:

Give users the possibility to reset their passwords in the AAD using SSPR!

Tip: if a user will configure the Microsoft Authenticator app, there will be a possibility to use push notifications for logon.

I also registered a phone number and additional e-mail address for that user.

When users click on the recovery link during the login process, there will be a requirement to use a method to verify a user.

Give users the possibility to reset their passwords in the AAD using SSPR!

And… It is everything for now!

Jakub Piesik

Jakub Piesik

Microsoft 365 Consultant

I’m writing not only about Intune and Windows 365. I’m writing about everything what I leared previously and want to share with you!

#security #microsoft365 #intune #windows365 #powershell #automation 🙂