Azure AD self-service password reset

Ganesh Chauhan, Technical Support Specialist, Microsoft Azure.

Self-service password reset (SSPR) in Azure Active Directory (Azure AD) allows users to change or reset their passwords without the involvement of an administrator or help desk. If a user’s account is locked or they forget their password, they can unblock themselves and return to work by following the prompts. This capability reduces help desk calls and productivity loss when a user is unable to sign in to their device or an application.

What is the procedure for resetting a password?

The SSPR portal allows users to reset or change their password. They must first register their preferred authentication methods. When a user accesses the SSPR portal, the Azure platform considers the following factors:

– How should the page be localized?

-Is the user account valid?

-To what organization does the user belong?

-Where is the user’s password managed?

When a user selects the Can’t access your account link from an application or page, or goes directly to https://aka.ms/sspr, the language used in the SSPR portal is determined by the following options:

· By default, the browser locale is used to display the SSPR in the appropriate language. The password reset experience is available in the same languages that Microsoft 365 does.

· If you want to link to the SSPR in a specific language, append?

o Add mkt= to the end of the password reset URL, along with the required locale.

For example, to specify the Spanish es-us locale, use?

mkt=es-us – https://passwordreset.microsoftonline.com/?

The user is prompted to enter a user ID and pass a captcha after the SSPR portal is displayed in the required language. Azure AD now verifies the user’s ability to use SSPR by performing the following checks:

· Checks, whether the user has SSPR, turned on.

– If the user is not enabled for SSPR, they are prompted to contact their administrator in order to reset their password.

· Checks that the user’s account has the appropriate authentication methods defined in accordance with administrator policy.

-If the policy only requires one method, ensure that the user has the appropriate data defined for at least one of the administrator policy’s authentication methods.

-If the authentication methods are not configured, the user should contact their administrator to request a password reset.

-If the policy requires two methods, ensure that the user has the appropriate data defined for at least two of the administrator policy’s authentication methods.

-If the authentication methods are not configured, the user should contact their administrator to request a password reset.

-If the user is assigned an Azure administrator role, the strong two-gate password policy is enforced. See Administrator reset policy differences for more information.

· Checks to see if the user’s password is managed on-premises, such as federated, pass-through authentication, or password hash synchronization, and returns the following:

-If SSPR writeback is enabled and the user’s password is managed on-premises, the user is permitted to proceed with authentication and password reset.

-If SSPR writeback is not configured and the user’s password is managed on-premises, the user is prompted to contact their administrator in order to reset their password.

If all of the previous checks are successfully completed, the user is guided through the process to reset or change their password.

When users sign in, they should be required to register.

You can require a user to complete the SSPR registration if they use modern authentication or a web browser to sign in to any Azure AD applications. The following applications are included in this workflow:

Microsoft 365

Azure portal

Access Panel

Federated applications

Custom applications using Azure AD

Users are not prompted during sign-in if registration is not required, but they can register manually. Users can either go to https://aka.ms/ssprsetup or click the Register for password reset link in the Access Panel’s Profile tab.

Authentication methods

A user must register at least one authentication method when they are enabled for SSPR. We strongly advise you to use two or more authentication methods so that your users have more options if one method is unavailable when they need it. See What are authentication methods? for more information.

SSPR supports the following authentication methods:

Mobile app notification

Mobile app code

Email

Mobile phone

Office phone (available only for tenants with paid subscriptions)

Security Questions

Users can only reset their passwords if they have registered an authentication method that has been enabled by the administrator.

Professional Labs is the Best Cloud Managed Services Provider Qatar, for more details contact
Contact Us | Professional labs (prolabsit.com)