Is your team drowning in password reset requests, leaving critical work on hold while they assist users back into their accounts? Enter Self-Service Password Reset (SSPR). It’s a common scenario for users to lock themselves out or forget their passwords, and that’s where SSPR shines. Once enabled, users can handle password resets themselves, saving time and frustration for everyone involved. No more waiting hours or days for IT support unless you’re a VIP. SSPR puts the power back in users’ hands, reducing reliance on the support desk and improving overall efficiency.

In this article, we’ll delve into the implementation of Self Service Password Reset in Office 365 (SSPR). You’ll discover how to enable, configure, and test this service, regardless of whether your organization operates in the cloud or a hybrid environment. Let’s explore how SSPR can revolutionize your password management processes.

Prerequisites

Before proceeding with this walkthrough, ensure you have the following prerequisites in place:

  1. Azure AD or Microsoft 365 Tenant: You’ll need a functioning Azure AD or Microsoft 365 Tenant. If you don’t have one, you can request a trial account.
  2. Global Administrator User Account: You’ll require a Global Administrator user account for configuring and managing SSPR.
  3. Non-Administrator Cloud-Only Account: This account will be used to test the SSPR user experience. For this article, we’ll use the cloud-only account named “CloudUser.”
  4. [OPTIONAL] On-Premises Windows Active Directory with Azure AD Connect: If you plan to enable password writeback to Windows Active Directory, you’ll need an on-premises Windows Active Directory with Azure AD Connect installed and configured for synchronization.
  5. Non-Administrator Account in Windows AD Synced to Azure AD: This account should be synchronized to Azure AD from the on-premises Windows Active Directory. For our purposes, we’ll use the on-premises user account named “HybridUser.”
  6. Group Membership for Non-Administrator Account: Ensure the non-administrator account is a member of a group. This group will be the target for enabling SSPR. We’ll use the group named “SSPR-Users” in this article.
  7. Licensing and Subscriptions: Depending on your desired SSPR features, you may require different licenses or subscriptions. Please refer to the image below, which outlines the features and necessary licenses.

By meeting these prerequisites, you’ll be ready to proceed with configuring and implementing Self-Service Password Reset (SSPR) effectively.

Understanding the Self-Service Password Reset State Options

While enabling self-service password resets (SSPR) for Office 365 is a straightforward process, implementing it with care is crucial. One of the primary considerations during implementation is how users may be impacted by the change. Fortunately, SSPR offers the flexibility to target specific user groups, minimizing potential disruptions, especially when rolling out SSPR in phases.

There are three states for SSPR, each defining how SSPR is applied to users:

  1. None: In this state, SSPR is disabled for all users in your tenant. It’s important to note that SSPR remains enabled for administrators, even if the state is set to None. Admins are still required to use two authentication methods to reset their passwords using SSPR.
  2. Selected: SSPR is applied only to a selected group of users. This state is particularly useful for staged rollouts, allowing administrators to add users to the target group in batches. This is the SSPR state we’ll focus on in this article. It’s worth mentioning that SSPR permits only one group as a target at a time in the Selected state, although nested groups are allowed.
  3. All: Opting for this state enables SSPR for all users in your tenant. This means SSPR will be available to every user, which may be appropriate for certain organizations but requires careful consideration due to its widespread impact.

By understanding these SSPR state options, administrators can make informed decisions about how to implement SSPR effectively while considering the needs and preferences of their organization’s users.

Enabling SSPR for Cloud-Only Organizations

Enabling self-service password resets (SSPR) for Office 365 in cloud-only organizations is a straightforward process, requiring only a few simple steps to implement the basic setup. Below, we outline the steps to enable SSPR for your organization:

  1. Log in to the Microsoft Azure Portal: Use your global administrator account to log in to the Microsoft Azure portal.
  2. Navigate to Entra ID: Once logged in, navigate to the Entra ID within the portal.
  3. Access Password Reset Settings: Under the Manage section of the Azure Active Directory page, locate and click on “Password Reset.”
  4. Configure Password Reset Properties: Within the Password Reset blade, navigate to the Properties menu blade under the Manage section.
  5. Check Current SSPR State: Review the current state of self-service password resets for Office 365. If it’s set to “None,” SSPR is currently turned off for all end users.
  6. Change SSPR State to Selected: Change the status of SSPR to “Selected” to enable it. Then, specify the target security group whose members will be enabled for SSPR. For example, choose the group named “SSPR-Users.”
  7. Select Target Group: After choosing the target group, click on the “Select” button to confirm your selection.
  8. Save Changes: Once the target group has been selected, click on “Save” to enable SSPR for the specified group.

By following these steps, you can easily enable self-service password resets for Office 365 in cloud-only organizations, providing users with the ability to reset their passwords independently and enhancing overall security and user experience.

Enabling SSPR for Organizations with Hybrid Setup

In the previous section, you learned how to enable SSPR for a selected group of cloud-only users. However, if your organization’s users are synced from an on-premises Active Directory (AD) to Azure AD with Azure AD Connect, additional steps are required.

When users have hybrid accounts, initially created in the on-premises AD, any password reset performed must be written back to the on-premises AD. To enable this functionality, the Password Writeback feature must be enabled in Azure AD Connect.

This feature ensures that password changes made in Azure AD are synchronized back to the on-premises AD, maintaining consistency across both environments.

In the following section, we’ll explore how to enable the Password Writeback feature in Azure AD Connect to facilitate SSPR for organizations with a hybrid setup.

Enabling Password Writeback Feature in Azure AD Connect

To enable the Password Writeback feature in Azure AD Connect, follow these steps:

  1. Launch the Azure AD Connect configuration program on the server where Azure AD Connect is installed.
  2. Click on “Configure” to begin the configuration process.
  3. Under “Additional tasks,” select “Customize synchronization options” and click “Next.”
  4. On the “Connect to Azure AD” page, enter your global administrator account credentials and click “Next.”
  5. Continue clicking through the subsequent pages until you reach the “Optional Features” page.
  6. Put a checkmark in the “Password writeback” checkbox and click “Next.”
  7. On the “Ready to configure” page, click “Configure” to initiate the configuration process.
  8. Wait for the configuration process to complete. Once finished, you should see a status indicating that the configuration was successful.
  9. Click “Exit” to close the configuration program.

By following these steps, you will have successfully enabled the Password Writeback feature in Azure AD Connect, allowing password changes made in Azure AD to be synchronized back to the on-premises AD.

Configuring Self-Service Password Reset Options for Office 365

In the previous sections, you’ve learned how to enable SSPR with default options, making SSPR functional right out of the gate. However, there’s more you can do to customize and fine-tune SSPR to better align with your organization’s requirements.

These additional options allow for greater control over SSPR and can enhance the user experience. Some of the configurable options include authentication methods, registration settings, notifications, support contact links or email, and integration with on-premises Active Directory (AD).

By configuring these options, you can tailor SSPR to meet the specific needs and security policies of your organization, ensuring a seamless and secure password reset experience for users. Let’s delve into each of these options to understand how they can be customized to optimize SSPR implementation.

Configuring Registration Options

Before users can utilize self-service password resets for Office 365, they must first register their authentication information. Within the Registration menu, you’ll encounter two configuration settings.

The two options presented are as follows:

  1. Require users to register when signing in? – This configuration dictates whether users are prompted to register their authentication information during their next login. If set to No, administrators must guide users on manually registering their self-service password reset information. By default, this setting is enabled (set to Yes).
  2. Number of days before users are asked to re-confirm their authentication information – This value determines the frequency at which users are prompted to update or reconfirm their authentication details for SSPR. By default, this setting is configured for every 180 days.

Configuring Authentication Methods

When users initiate a self-service password reset for Office 365, they must verify their identity. You can configure SSPR to require users to provide up to two authentication methods.

  1. Number of methods required to reset – This setting determines the number of authentication methods users must provide when resetting their passwords. The default value for this setting is 1.
  2. Methods available to users – This displays a list of available authentication methods users can utilize to verify their identity before resetting their account passwords. These methods include using the Microsoft Authenticator app (via code or notification), email, SMS, office phone, and security questions.

Configuring Notifications

Both users and admins should receive email notifications whenever a password reset operation is executed on their accounts.

By notifying users, they can verify that they initiated the password reset themselves.

As depicted in the image above, you have the option to enable “Notify users on password resets” and “Notify all admins when other admins reset their password”.

Configuring Support Contact Information

Another configuration option available is customizing the support contact information for SSPR. This setting provides users with a means to reach out to your helpdesk or administrators.

As illustrated above, the default setting for:

  1. Customize helpdesk link is set to No. Altering this option to Yes will enable you to specify a
  2. Custom helpdesk email or URL.

Configuring On-Premises Integration

Within the On-Premises integration menu, you are presented with the status of the on-premises writeback client availability. This allows you to confirm whether the password writeback feature is operational.

As evident from the image above, you have the option to:

  • Enable or disable the password writeback feature to the on-premises directory.
  • Enable or disable users’ ability to unlock their locked-out accounts without necessitating a password change.

Testing Self-Service Password Reset User Experience

In the preceding sections, you’ve gained insights into enabling self-service password reset in Office 365 along with the array of configuration options available. Now, let’s delve into testing and acquainting ourselves with the self-service password reset user experience.

Registering the Self-Service Password Reset Authentication Information

Upon enabling self-service password resets for Office 365, users are automatically prompted to register their authentication information. Alternatively, users can manually access the SSPR registration link (https://aka.ms/ssprsetup).

As depicted in the screenshots, upon successful sign-in to the Office 365 portal, the user was prompted to register their authentication information. Since SSPR registration requires only one authentication method, registering a phone number sufficed.

Performing a Password Reset

For users registered with self-service password reset, resetting the account password requires navigating to the password reset URL at https://aka.ms/sspr.

As evident from the screenshots above, once the user authenticated using an SMS code, the password reset was successfully executed.

Summary

Self-service password resets for Office 365 offer a convenient and secure solution for users and admins to manage their passwords independently. Empowering users with the ability to reset their passwords significantly reduces resolution time and minimizes productivity interruptions.

Throughout this article, you’ve acquired insights into enabling and configuring self-service password reset, as well as understanding the user experience including registration and email notification. While this article covers key configurations, there are additional integrations and policies like setting up banned passwords that can enhance your SSPR implementation.

Before implementing SSPR, our Helpdesk received numerous daily requests for lockouts or forgotten passwords. Since implementation, the Helpdesk now handles requests primarily from incoming students. This shift has liberated our onsite team to focus on critical tasks, elevating overall productivity significantly.