Azure Self Service Password Reset in Azure Active Directory allows users to change or reset (if forgotten) their Azure AD password direct from the Microsoft 365 or Azure sign-in page. This helps to reduce the burden on your IT department by assigning the responsibility back to the users for resetting their own passwords. This post will cover how Self Service Password Reset in Azure works, its requirements and how to enable it.
Page Contents
Pre-requisites for Azure Self Service Password Reset
It is required that each user have at-least the Azure AD free tier license applied to their account. This comes with most Microsoft 365 licenses. Azure AD premium licenses are required in some scenarios such as requiring password write back to your on-premise Active Directory.
How does Self Service Password Reset Work?
For a user to use the self service reset portal they much have registered their chosen authentication methods to their account. This works in the same fashion to enabling multi-factor authentication for the user, in fact it is the same thing. Not only must the user be signing in with their password but they must also have a second layer of authentication enabled such as phone authentication (with an MFA app) or via SMS.
If a user choses Can’t access your account from the Microsoft sign-in page the Self Service Password Reset portal will then be displayed. (It can also be access by going directly to https://aka.ms/sspr). The user is then prompted to enter their username and complete a captcha.
the Azure Self Service Reset Portal will then check to confirm SSPR is enabled on the users account and that they are assigned a relevant Azure AD license. If the conditions are not met they will be presented with a message asking them to contact their administrator. It will then check to ensure the correct authentication methods are configure appropriately and if the users password is managed in the cloud or on-premise. Again if either conditions are not met, the user will be prompted to contact their administrator.
Will Self Service Password Reset work if my Azure Active Directory is synced with my on-premise Active Directory?
Yes, Azure Self Service Password Reset will work if your Azure Active Directory is synced to your on-premise Active Directory via Azure AD Connect. There are some requirements you should keep in mind, these are:
- You must have Password Write back enabled in your Azure AD Connect configuration. This will allow changes to your Azure AD Password to synchronise back to your on-premise Active Directory.
- Each user will require an Azure AD Premium license which will allow the on-premise password writeback to work with Azure SSPR.
An availability set is a grouping of Azure Virtual Machines that allows Azure to understand how your application or workload is built to provide for high availability.
The idea behind an availability set is that you have multiple virtual machines within the availability set running the same service. Should one virtual machine fail, crash or need to be taken out of service for maintenance, the workload or service is still available to your users.
Within your availability set, each virtual machine is assigned an update domain and a fault domain, you can have up to 20 update domains and 3 fault domains.
Update domains determine a group of machines within your availability set that can be updated and rebooted at the same time. Only one update domain is rebooted at a time and each update domain is given 30 minutes to recover from the update before the next update domain is rebooted.
Fault domains are groups of virtual machines that share a common power source and network connectivity (switch). By default if you have 3 virtual machines, they are spread across 3 fault domains. By adding an additional virtual machine to your availability set, this will be added to fault domain 1 and so on and so forth. While fault domains do protect your workload from physical hardware failure, it does not protect your workload from operating system failure or application failures.
How to enable Azure Self Service Password Reset
Sign in to your Azure portal by going to portal.azure.com and using your global administrator account.
Once you are signed in, select Azure Active Directory under Azure services.
Select Password reset from the left hand menu.
Choose if you would like to enable Self Service Password Reset for all users, or just for a selected group of users.
It is important you now select which authentication and registrations option you want to be available for your users. Select Authentication methods from the left hand menu.
Select the number of methods required for a user to reset their own password.
Select the available methods to the users. I highly recommend NOT using the Security Questions option.
Thank you for taking the time to read my post on Azure Self Service Password Reset. I would encourage you to leave any questions below for me to answer.
Check out some of my other popular posts: