ID-03: Enabling Self-Service Password Reset (SSPR)

Overview

Self-Service Password Reset (SSPR) allows users to reset their own passwords without contacting the help desk. When properly configured, SSPR reduces IT support costs, improves user productivity, and can actually increase security by requiring users to verify their identity through multiple factors before resetting.

Why This Matters: Password resets are one of the most common help desk requests, accounting for 20-50% of all IT support tickets. SSPR eliminates this burden while providing a more secure reset process than phone-based help desk verification.

Benefits:

  • Reduces help desk calls by 20-40%
  • Users can reset passwords 24/7 without waiting
  • Faster password recovery improves productivity
  • Verification requirements can be stronger than help desk procedures
  • Encourages users to maintain current security info

Prerequisites

Required Roles

  • Global Administrator or Authentication Policy Administrator - to enable SSPR
  • User Administrator - to manage user accounts
  • Helpdesk Administrator - to perform manual resets when needed

License Requirements

FeatureLicense
SSPR for cloud-only usersMicrosoft Entra ID P1/P2 or Microsoft 365 Business Premium
SSPR for synced users (password writeback)Microsoft Entra ID P1/P2
Combined security info registrationIncluded with SSPR license

Note: SSPR requires a paid license. It is not included in free Azure AD or Microsoft 365 Basic plans.

Pre-Checks

  1. Determine if your organization has cloud-only users, synced users, or both
  2. For hybrid environments, verify Azure AD Connect is configured for password writeback
  3. Confirm users have registered authentication methods (phone, email, Authenticator)
  4. Review your current password reset procedures and policies

Time Estimate

TaskDuration
Review prerequisites and current state30 minutes
Configure SSPR policies30 minutes
Enable password writeback (if hybrid)1 hour
Test with pilot group1 week
User communication and rollout1-2 weeks

Total: 2-3 weeks for full rollout


Step-by-Step Instructions

Step 1: Verify Password Writeback (Hybrid Environments Only)

If you have on-premises Active Directory synchronized with Entra ID, you must enable password writeback before users can reset passwords through SSPR.

Check Azure AD Connect Configuration:

  1. On your Azure AD Connect server, open Azure AD Connect
  2. Click Configure
  3. Select Customize synchronization options and click Next
  4. Sign in with Global Administrator credentials
  5. On the Optional features page, verify Password writeback is checked
  6. Complete the wizard

Verify in Entra Admin Center:

  1. Navigate to Identity > Hybrid management > Azure AD Connect > Cloud Sync or Connect Sync
  2. Verify the sync status is healthy
  3. Check that password writeback is enabled

Important: If password writeback is not enabled and you enable SSPR for synced users, password resets will fail silently or show errors.

Step 2: Configure Authentication Methods for SSPR

Navigation: Entra admin center > Protection > Password reset > Authentication methods

  1. Sign in to the Microsoft Entra admin center
  2. Navigate to Protection > Password reset
  3. Click Authentication methods

Configure the following settings:

Number of methods required to reset:

  • Recommended: 2 methods
  • This requires users to verify identity with two different factors
  • More secure than single-method verification

Methods available to users:

MethodRecommendedNotes
Mobile app notificationYesMost secure, requires Authenticator
Mobile app codeYesTOTP codes from Authenticator
EmailYesUseful backup method
Mobile phone (SMS)OptionalLess secure but widely available
Office phoneOptionalFor users without mobile phones
Security questionsNoNot recommended (answers can be guessed/researched)

Recommended Configuration:

  • Enable: Mobile app notification, Mobile app code, Email, Mobile phone
  • Disable: Security questions
  • Required methods: 2
  1. Click Save

Step 3: Configure SSPR Properties

Navigation: Entra admin center > Protection > Password reset > Properties

  1. Navigate to Protection > Password reset > Properties

  2. Self service password reset enabled:

    • None: SSPR disabled for all users
    • Selected: SSPR enabled for specific groups (recommended for pilot)
    • All: SSPR enabled for all users

For Initial Rollout:

  1. Select Selected
  2. Click Select group
  3. Choose a pilot group (e.g., "SSPR Pilot Users" or "IT Department")
  4. Click Save

For Full Deployment (after pilot):

  1. Select All
  2. Click Save

Step 4: Configure Registration Settings

Navigation: Entra admin center > Protection > Password reset > Registration

  1. Navigate to Protection > Password reset > Registration

Configure:

Require users to register when signing in:

  • Recommended: Yes
  • This prompts users to set up security info at next sign-in

Number of days before users are asked to re-confirm their authentication information:

  • Recommended: 180 days
  • Forces periodic review of security info
  • Set to 0 to disable re-confirmation prompts
  1. Click Save

Step 5: Configure Notifications

Navigation: Entra admin center > Protection > Password reset > Notifications

  1. Navigate to Protection > Password reset > Notifications

Configure:

Notify users on password resets:

  • Recommended: Yes
  • Sends email to user when their password is reset
  • Helps detect unauthorized password changes

Notify all admins when other admins reset their password:

  • Recommended: Yes
  • Alerts all Global Admins when any admin password is reset
  • Important for detecting compromised admin accounts
  1. Click Save

Step 6: Configure On-Premises Integration (Hybrid Only)

Navigation: Entra admin center > Protection > Password reset > On-premises integration

  1. Navigate to Protection > Password reset > On-premises integration

Verify:

  • Write back passwords to your on-premises directory: Yes
  • Allow users to unlock accounts without resetting their password: Yes (recommended)

If these options are grayed out:

  • Password writeback is not configured in Azure AD Connect
  • Return to Step 1 to enable password writeback
  1. Click Save if you made changes

Step 7: Configure Combined Registration (Recommended)

Combined registration allows users to register for both SSPR and MFA in one experience.

Navigation: Entra admin center > Identity > Users > User settings > User feature settings

  1. Navigate to Identity > Users > User settings

  2. Click Manage user feature settings or User feature settings

  3. Under Combined security info registration:

    • Select All to enable for everyone (recommended)
    • Or select Selected for gradual rollout
  4. Click Save

User Experience: Users will be directed to https://aka.ms/mysecurityinfo to manage all their security methods in one place.

Step 8: Test SSPR with Pilot Group

Before rolling out to all users, test with your pilot group:

  1. Ensure pilot users are in the selected SSPR group
  2. Have pilot users register their security info at https://aka.ms/mysecurityinfo
  3. Test password reset:
    • User navigates to https://aka.ms/sspr or clicks "Forgot password" on sign-in
    • User enters their email address
    • User completes CAPTCHA verification
    • User verifies identity using registered methods
    • User creates new password

Test Scenarios:

  • Reset using Authenticator app notification
  • Reset using SMS code
  • Reset using email
  • Unlock account without reset (if enabled)
  • Password writeback to on-premises AD (if hybrid)

Step 9: Roll Out to All Users

After successful pilot testing:

  1. Return to Protection > Password reset > Properties
  2. Change Self service password reset enabled to All
  3. Click Save

Send User Communications:

Subject: You Can Now Reset Your Password Yourself!

Dear [Name],

We've enabled Self-Service Password Reset (SSPR), which means you can now
reset your own password without contacting IT support.

If you forget your password:
1. Go to https://aka.ms/sspr (or click "Forgot password" on the sign-in page)
2. Enter your work email address
3. Complete the security verification
4. Create your new password

Before you can use SSPR, make sure your security info is up to date:
1. Go to https://aka.ms/mysecurityinfo
2. Sign in with your work account
3. Ensure you have at least two verification methods registered

This works 24/7, so you can reset your password anytime, even outside business hours.

Need help? Contact IT support at [EMAIL/PHONE].

[IT Team]

Step 10: Monitor SSPR Usage

Navigation: Entra admin center > Protection > Password reset > Usage & insights

Monitor adoption and troubleshoot issues:

  1. Navigate to Protection > Password reset
  2. Click Usage & insights or Audit logs

Key Metrics to Track:

MetricWhat It Indicates
RegistrationsUsers setting up security info
ResetsSuccessful password resets
FailuresIssues requiring investigation
Unlock onlyAccount unlocks without reset

Review Weekly During Rollout:

  • Registration rate (goal: 100% of users)
  • Reset success rate (should be >95%)
  • Top failure reasons
  • Help desk ticket reduction

Verification Checklist

After enabling SSPR, verify:

  • SSPR is enabled for all users (or selected groups if piloting)
  • At least 2 authentication methods are required
  • Recommended methods are enabled (Authenticator, Email, SMS)
  • Security questions are disabled
  • User notification on password reset is enabled
  • Admin notification for admin resets is enabled
  • Combined registration is enabled
  • Password writeback is working (if hybrid)
  • Users have been notified about SSPR
  • Help desk is prepared for SSPR-related questions
  • Usage monitoring is in place

Troubleshooting

"Password reset is not enabled for your organization"

Problem: User sees this message when trying to reset password

Solutions:

  1. Verify SSPR is enabled (Protection > Password reset > Properties)
  2. If using "Selected," verify the user is in the enabled group
  3. Verify the user has the required license (P1/P2)
  4. Check if the user is a guest (guests may need separate configuration)

"You are not registered for self-service password reset"

Problem: User has not registered authentication methods

Solutions:

  1. Direct user to https://aka.ms/mysecurityinfo
  2. Have them add at least 2 verification methods
  3. Enable "Require users to register when signing in" to prompt registration
  4. Send communications with registration instructions

Password Reset Succeeds but On-Premises Password Not Updated

Problem: User can sign in to cloud apps but not on-premises/VPN

Solutions:

  1. Verify password writeback is enabled in Azure AD Connect
  2. Check Azure AD Connect sync status is healthy
  3. Verify the user account is synced (not cloud-only)
  4. Check Azure AD Connect service is running on the sync server
  5. Review event logs on Azure AD Connect server for errors

User Receives "We couldn't verify your account"

Problem: Verification methods are not matching

Solutions:

  1. Have user verify their security info at https://aka.ms/mysecurityinfo
  2. Ensure phone numbers include country code
  3. Verify email addresses are correct and accessible
  4. If using Authenticator, have user remove and re-add account

Administrator Cannot Reset User Password

Problem: Admin sees "Insufficient privileges" or similar error

Solutions:

  1. Verify admin has User Administrator or Helpdesk Administrator role
  2. Note: Helpdesk Admins cannot reset passwords for Global Admins
  3. For admin password resets, use an account with higher privileges
  4. Check if the user account is protected by Administrative Units

SSPR Not Working for Synchronized Users

Problem: Reset works for cloud users but fails for synced users

Solutions:

  1. Verify Azure AD Connect password writeback is enabled
  2. Check that the AD DS account has proper permissions
  3. Verify AD DS account password has not expired
  4. Test with: Get-ADSyncScheduler on the sync server
  5. Check event logs: Applications and Services > Azure AD Connect

Cost Considerations

Licensing Costs

ScenarioLicense RequiredCost
SSPR for cloud usersEntra ID P1~$6/user/month
SSPR with password writebackEntra ID P1~$6/user/month
Already have M365 Business PremiumIncluded$0 additional
Already have E3/E5Check if P1 includedMay be $0

Return on Investment

Help Desk Cost Savings:

MetricTypical Value
Password reset calls before SSPR20-50% of all tickets
Average time per reset call10-15 minutes
Help desk cost per minute$0.50-1.50
Cost per password reset$5-22

Example Calculation (500 users):

  • 50 password resets/month x $15/reset = $750/month before SSPR
  • SSPR license cost: 500 x $6 = $3,000/month
  • But SSPR is often bundled with other needed features

Productivity Savings:

  • Users don't wait for help desk (saves 30 min to 2 hours per incident)
  • Password resets available 24/7
  • Reduced frustration and interruption

Implementation Costs

ItemEstimate
IT time for configuration4-8 hours
User communication2-4 hours
Pilot program1 week of monitoring
Full rollout2 weeks of monitoring
Training materials (optional)4-8 hours

Related Controls


Additional Resources