Enable Azure AD Self-Service Password Reset

By / March 7, 2022

Numerous studies cite the cost of password resets. Although these studies vary widely in their findings, it’s not uncommon for a single password reset to cost around $70 or more

One way to bring down this cost while reducing end-user frustration is to enable self-service password reset. Azure Active Directory (AD) is one of the largest systems that support this feature. Azure AD controls user accounts, including passwords for business staples like Microsoft 365

Here, we’ll look at the user-friendly processes Azure AD has to offer. Let’s first delve into how to set up self-service!

Enabling Azure AD’s Self-Service Password Reset

Before you can enable self-service password reset, you’ll need to create a group. After this, you have to choose which users you’ll authorize for a self-service password reset, then add these users to the group. Once you’ve created the group, you can turn on self-service password reset for the group members. Let’s see these steps in more detail.

Creating a New Group

  1.   Login using an account with global admin permissions
  2.   Open the Azure Active Directory Admin Center
  3.   Click on the Groups tab, then click the New Group link
  4.   Set the group type to Microsoft 365
  5.   Enter a name for the new group. For the purpose of this article, I’ll be calling the group SSPR (self-service password reset)

    Screenshot of Azure Active Directory Admin Center showing the new group screen. From here you can authorize a group to perform self service password resets when needed.
    You will need to create a group whose members will be authorized to perform self service password resets.
  6.   Click the No Members Selected link, then select the users who you’ll authorize for self-service password reset
  7.   Click Create to create the group

Great, now you have a group with users who can perform self-service password resets. How exactly do you enable this feature, though? Let’s take a look. 

Turn on Self-Service Password Reset

Now that you’ve created the necessary group, you can enable self-service password reset with these 4 steps:

  1.     Select the Password Reset tab from within the Azure Active Directory Admin Center dashboard
  2.     Set the self-service Password Reset option to Selected

    Screenshot of password reset options in Azure Active Director Admin Center.
    Setting the self service password reset enabled option to Selected.
  3.     Click the No Groups Selected link, then select the group that you created earlier
  4.     Click the Save icon

Configure User Authentication Methods

During a password reset request, users need to use an alternative method to prove their identity. If they don’t, they can’t reset their password. As an administrator, you’ll need to choose how Azure AD will be able to prove a user’s identity. To do so, follow these 4 steps:

  1. Click on the Authentication Methods tab
  2. Choose the number of authentication methods that a password reset will require
  3. Select the checkboxes corresponding to the authentication methods that you want to allow
  4. Click Save to complete the process
Screenshot of password reset in Azure Active Directory Admin Center. You can select the authentication methods you wish to use.
You can choose the authentication methods that you wish to allow.

The Password Reset Process

Before a user can perform a self-service password reset, they need to complete a registration process. The password reset site will ask the user for this info the first time they visit the site. For this to work, the user needs to complete the user registration.

User Registration

To register for a self-service password reset, a user will need to complete these 2 steps:

  1. Visit https://aka.ms/ssprsetup
  2. Complete the account registration process. The steps vary widely based on the enabled authentication methods.
Screenshot of password reset in Azure Active Directory Admin Center. You can select the authentication methods you wish to use.
You can choose the authentication methods that you wish to allow.

Resetting a Password

When a user needs to reset their password, they can do so by completing these 5 steps:

  1. Visit https://aka.ms/sspr
  2. Enter your username, complete the captcha, and click Next

    Screenshot of the captcha screen where a user can request account recovery. On this particular example a user is asked for a username or email along with a 'im not a robot' task. Once complete the user is allowed to continue the process by pressing the next button.
    You will need to enter your username and complete a captcha.
  3. Choose your preferred authentication method and click Next
  4. Enter the verification information needed for the authentication method

    Screenshot of account verification process where the user can select the the contract method, such as email or mobile phone. Here the user has selected the text option but needs to provide the phone number stored on the system first.
    Choose the authentication method that you want to use.
  5. Enter and retype your new password

Final Thoughts

Enabling self-service password reset can reduce the help desk’s workload while cutting down on end-user frustration. The process involves creating a group of users and enabling self-service password reset for that group. Users then need to complete a simple registration process before they can reset their own passwords.

FAQ

 

Why do you recommend setting the Self-Service Password Reset Enabled option to Selected rather than All?

Nothing is stopping you from using the All button. As a best practice, though, it’s a good idea to avoid enabling self-service password reset for certain privileged accounts. Using the Selected option lets you pick and choose the accounts that’ll have self-service password reset capabilities.

Does that mean that you shouldn’t enable self-service password reset for admins?

Admins are always enabled for a self-service password reset. That said, you need multi-factor authentication for password resets. That helps administrators to work quickly or after hours. That’s also useful for maintenance, upgrades, or new implementation activities when third parties are involved. 

Can you add users directly to the self-service password reset list without having to create a group?

If you enable self-service password reset for everyone, you don’t need to create a group. That said, you may not want to give every user this capability due to organizational security policies.

Is the selection of authentication methods optional?

By default, Azure AD requires one authentication method and allows for authentication by email or mobile phone. Technically, you don’t have to make any changes, but most organizations prefer two authentication methods. They may also choose to enable methods beyond email and phone to enhance their security.

Are there any advantages to requiring multiple authentication methods?

Multiple authentication methods verify if the user is who they say they are. If only a single verification method is in place, then someone who has stolen a user’s smartphone could conceivably use the device to reset the user’s password.

Resources

 

Microsoft’s Official Documentation

Get Microsoft’s Official documentation here.

Bulk Group Management in Azure Active Directory

Read about bulk group management in Azure AD here.

End-user Password Resetting

Read more about the end-user frustration associated with password resets here.

How to Reset a Windows 10 Administrator Password

Learn about Resetting the Windows 10 Admin password here.

Azure AD Password Writebacks

Find out how to enable Azure AD password writeback here.

Roll-out a self-service Password System

Discover key considerations for self-service password reset here.

Read Next

About The Author

Brien Posey is a freelance technology author and speaker with over two decades of IT experience. Prior to going freelance, Brien was a CIO for a national chain of hospitals and healthcare facilities. He has also served as a network engineer for the United States Department of Defense at Fort Knox. In addition, Brien has worked as a network administrator for some of the largest insurance companies in America. To date, Brien has received Microsoft’s MVP award numerous times in categories including Windows Server, IIS, Exchange Server, and File Systems / Storage. You can visit Brien’s Website at: www.brienposey.com.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top