Implement Self-Service Password Reset in Azure AD

Steps to Implement SSPR

Step 1: Enable SSPR for your users

You can enable SSPR for all users, a group of users, or specific users.

Sign in to the Azure portal as a Global Administrator.
Navigate to Azure Active Directory.
In the left navigation pane, select Password reset.
Under the Properties tab, click On for "Enable self-service password reset".
Under "Which users can reset their password?", select the desired scope:
- None (This is the default and means SSPR is disabled).
- All (Enables SSPR for all users in your directory).
- Selected (Allows you to choose specific Azure AD groups to enable SSPR for).
If you select "Selected", click Add group and choose the groups you want to include.
Click Save.

Step 2: Configure Authentication Methods

Define which methods users can use to verify their identity during password reset.

In the Azure AD Password reset blade, go to the Authentication methods tab.
Under "Number of methods required to reset", choose how many methods a user needs to register (e.g., 1 or 2).
Under "Available authentication methods", select the methods you want to allow. Common options include:
- Mobile app notification
- Mobile app code
- Email
- Mobile phone
- Office phone
- Security questions
For methods like "Mobile phone" and "Email", you can choose whether they are available to all users or only specific groups.
Click Save.

Step 3: Configure Registration Requirements

Ensure users register the required authentication methods.

In the Azure AD Password reset blade, go to the Registration tab.
For "Require users to register when they log in", choose Yes to prompt users to register their authentication methods upon their next sign-in.
You can set a duration in days for how long users have to register before being forced to do so.
Click Save.

Step 4: Configure Customization (Optional)

Brand your SSPR portal with your company's logo and contact information.

In the Azure AD Password reset blade, go to the Customization tab.
Under "Link to access panel", configure the URL that users will be directed to for password reset.
Under "Helpdesk link", provide a URL or email address for users to contact if they need further assistance.
Upload your company logo.
Click Save.

Step 5: User Registration and Usage

Users need to register their authentication methods. They can do this by visiting a dedicated registration portal or when prompted after login.

Users can register by navigating to https://aka.ms/ssprsetup.
When a user needs to reset their password, they can click the "Can't access your account?" link on the Azure AD sign-in page and follow the prompts.

Important Considerations:

Licensing: Ensure you have the appropriate Azure AD Premium licenses for the users who will utilize SSPR.
Security Questions: While convenient, security questions can be less secure than other methods. Consider using them in conjunction with other strong authentication factors.
User Communication: Inform your users about the SSPR feature, how to register, and how to use it. Provide clear instructions and support channels.
Testing: Thoroughly test the SSPR process from a user's perspective to ensure it works as expected.
Conditional Access: You can integrate SSPR with Azure AD Conditional Access policies for enhanced security.