Numerous studies cite the cost of password resets. Although these studies vary widely in their findings, it’s not uncommon for a single password reset to cost around $70 or more.
One way to bring down this cost while reducing end-user frustration is to enable self-service password reset. Azure Active Directory (AD) is one of the largest systems that support this feature. Azure AD controls user accounts, including passwords for business staples like Microsoft 365.
Here, we’ll look at the user-friendly processes Azure AD has to offer. Let’s first delve into how to set up self-service!
Enabling Azure AD’s Self-Service Password Reset
Before you can enable self-service password reset, you’ll need to create a group. After this, you have to choose which users you’ll authorize for a self-service password reset, then add these users to the group. Once you’ve created the group, you can turn on self-service password reset for the group members. Let’s see these steps in more detail.
Creating a New Group
- Login using an account with global admin permissions
- Open the Azure Active Directory Admin Center
- Click on the Groups tab, then click the New Group link
- Set the group type to Microsoft 365
- Enter a name for the new group. For the purpose of this article, I’ll be calling the group SSPR (self-service password reset)
- Click the No Members Selected link, then select the users who you’ll authorize for self-service password reset
- Click Create to create the group
Great, now you have a group with users who can perform self-service password resets. How exactly do you enable this feature, though? Let’s take a look.
Turn on Self-Service Password Reset
Now that you’ve created the necessary group, you can enable self-service password reset with these 4 steps:
- Select the Password Reset tab from within the Azure Active Directory Admin Center dashboard
- Set the self-service Password Reset option to Selected
- Click the No Groups Selected link, then select the group that you created earlier
- Click the Save icon
Configure User Authentication Methods
During a password reset request, users need to use an alternative method to prove their identity. If they don’t, they can’t reset their password. As an administrator, you’ll need to choose how Azure AD will be able to prove a user’s identity. To do so, follow these 4 steps:
- Click on the Authentication Methods tab
- Choose the number of authentication methods that a password reset will require
- Select the checkboxes corresponding to the authentication methods that you want to allow
- Click Save to complete the process
The Password Reset Process
Before a user can perform a self-service password reset, they need to complete a registration process. The password reset site will ask the user for this info the first time they visit the site. For this to work, the user needs to complete the user registration.
To register for a self-service password reset, a user will need to complete these 2 steps:
- Visit https://aka.ms/ssprsetup
- Complete the account registration process. The steps vary widely based on the enabled authentication methods.
Resetting a Password
When a user needs to reset their password, they can do so by completing these 5 steps:
- Visit https://aka.ms/sspr
- Enter your username, complete the captcha, and click Next
- Choose your preferred authentication method and click Next
- Enter the verification information needed for the authentication method
- Enter and retype your new password
Enabling self-service password reset can reduce the help desk’s workload while cutting down on end-user frustration. The process involves creating a group of users and enabling self-service password reset for that group. Users then need to complete a simple registration process before they can reset their own passwords.
Why do you recommend setting the Self-Service Password Reset Enabled option to Selected rather than All?
Nothing is stopping you from using the All button. As a best practice, though, it’s a good idea to avoid enabling self-service password reset for certain privileged accounts. Using the Selected option lets you pick and choose the accounts that’ll have self-service password reset capabilities.
Does that mean that you shouldn’t enable self-service password reset for admins?
Admins are always enabled for a self-service password reset. That said, you need multi-factor authentication for password resets. That helps administrators to work quickly or after hours. That’s also useful for maintenance, upgrades, or new implementation activities when third parties are involved.
Can you add users directly to the self-service password reset list without having to create a group?
If you enable self-service password reset for everyone, you don’t need to create a group. That said, you may not want to give every user this capability due to organizational security policies.
Is the selection of authentication methods optional?
By default, Azure AD requires one authentication method and allows for authentication by email or mobile phone. Technically, you don’t have to make any changes, but most organizations prefer two authentication methods. They may also choose to enable methods beyond email and phone to enhance their security.
Are there any advantages to requiring multiple authentication methods?
Multiple authentication methods verify if the user is who they say they are. If only a single verification method is in place, then someone who has stolen a user’s smartphone could conceivably use the device to reset the user’s password.
Microsoft’s Official Documentation
Get Microsoft’s Official documentation here.
Bulk Group Management in Azure Active Directory
Read about bulk group management in Azure AD here.
End-user Password Resetting
Read more about the end-user frustration associated with password resets here.
How to Reset a Windows 10 Administrator Password
Learn about Resetting the Windows 10 Admin password here.
Azure AD Password Writebacks
Find out how to enable Azure AD password writeback here.
Roll-out a self-service Password System
Discover key considerations for self-service password reset here.