Mastering Windows: How to: Configure Azure Self-service password reset (SSPR)

It has always been a time-consuming struggle to reset passwords for users in Active Directory. It is possible to add a third-party password reset product to your Active Directory like the self-service password reset tool from FastPassCorp, but it adds additional costs and an additional administration layer to the enterprise.

In Azure you can use the integrated self-service password reset (SSPR) functionality to provide password reset to both cloud-only and synchronized AD users. If your users are synchronized from Active Directory, you need to enable Password Write-Back in AD Connect, and the Azure AD users need a Azure AD Premium license.

The process of enabling SSPR a pretty straight-forward and in the next it I will demonstrate and describe the process in the Azure portal.

1. From the Azure portal navigate to the Azure Active Directory blade.

2. With-in the directory you will enable SSPR, select Password reset.

3. In the Properties blade you can enable SSPR, and you need to decide whether it is for all users, or for selected groups. It might be a good idea to test the SSPR functionality on a group of selected users before enabling it to a broader group of users. Make your preferred selection and click Save.

4. Navigate to the Authentication methods blade. You need to configure the showed sections, whether the users must use one or two of the bellow methods to reset their password. Then you need to select the possible methods users can choose between. If you choose to provide security questions to the users, you need to define how many questions the users must provide answers to, and the number of questions a user must answer correct before resetting the password. You also need to select the questions the users must provide their personal answers.

5. You can choose predefined questions or you can write your own question in your preferred language.

6. If you choose to make custom question, be aware that you must provide a variety of subjects so that all users can choose relevant questions. Add the predefined and custom questions that you find useful.

7. In the Registration blade you can enforce that users register for SSPR the next time they sign-in. You also need to make a decision about the interval of re-confirming their authentication informations.

8. In the Notifications blade you can enable notifications to users email when their password has been reset with SSPR. You can also enable notifications to all global administrators, when other administrators reset their password with SSPR.

9. In the Customization blade you can provide the users a link to the helpdesk either via an email og URL.

10. In the On-premises integration blade you can enable write back of password for users synchronized from an on-premise Active Directory. In this example the configuration is greyed-out because Password writeback hasn’t been enabled in the AD Connect. You can enable the Password writeback option in the AD Connect wizard in the Optional features as shown bellow.

11. When SSPR is enabled and users login the next time with their Azure AD account, they will be prompted to configure their settings according to the choices you made in the SSPR configuration.

12. The users need to set up the authentication methods you chose in the SSPR configuration. In this example I choose that they need to configure at least 1 option (I could have selected 2). In this example the user will provide answers to the security questions I chose in the SSPR configuration.

13. From the drop-down choose the questions you feel like and provide answers you think you can remember in the future.

14. When the user has forgot his password or just need to change it, he can start the password reset process from the login window by select the Forgot my password.