ID-03: Enabling Self-Service Password Reset (SSPR)
Overview
Self-Service Password Reset (SSPR) allows users to reset their own passwords without contacting the help desk. When properly configured, SSPR reduces IT support costs, improves user productivity, and can actually increase security by requiring users to verify their identity through multiple factors before resetting.
Why This Matters: Password resets are one of the most common help desk requests, accounting for 20-50% of all IT support tickets. SSPR eliminates this burden while providing a more secure reset process than phone-based help desk verification.
Benefits:
- Reduces help desk calls by 20-40%
- Users can reset passwords 24/7 without waiting
- Faster password recovery improves productivity
- Verification requirements can be stronger than help desk procedures
- Encourages users to maintain current security info
Prerequisites
Required Roles
- Global Administrator or Authentication Policy Administrator - to enable SSPR
- User Administrator - to manage user accounts
- Helpdesk Administrator - to perform manual resets when needed
License Requirements
| Feature | License |
|---|---|
| SSPR for cloud-only users | Microsoft Entra ID P1/P2 or Microsoft 365 Business Premium |
| SSPR for synced users (password writeback) | Microsoft Entra ID P1/P2 |
| Combined security info registration | Included with SSPR license |
Note: SSPR requires a paid license. It is not included in free Azure AD or Microsoft 365 Basic plans.
Pre-Checks
- Determine if your organization has cloud-only users, synced users, or both
- For hybrid environments, verify Azure AD Connect is configured for password writeback
- Confirm users have registered authentication methods (phone, email, Authenticator)
- Review your current password reset procedures and policies
Time Estimate
| Task | Duration |
|---|---|
| Review prerequisites and current state | 30 minutes |
| Configure SSPR policies | 30 minutes |
| Enable password writeback (if hybrid) | 1 hour |
| Test with pilot group | 1 week |
| User communication and rollout | 1-2 weeks |
Total: 2-3 weeks for full rollout
Step-by-Step Instructions
Step 1: Verify Password Writeback (Hybrid Environments Only)
If you have on-premises Active Directory synchronized with Entra ID, you must enable password writeback before users can reset passwords through SSPR.
Check Azure AD Connect Configuration:
- On your Azure AD Connect server, open Azure AD Connect
- Click Configure
- Select Customize synchronization options and click Next
- Sign in with Global Administrator credentials
- On the Optional features page, verify Password writeback is checked
- Complete the wizard
Verify in Entra Admin Center:
- Navigate to Identity > Hybrid management > Azure AD Connect > Cloud Sync or Connect Sync
- Verify the sync status is healthy
- Check that password writeback is enabled
Important: If password writeback is not enabled and you enable SSPR for synced users, password resets will fail silently or show errors.
Step 2: Configure Authentication Methods for SSPR
Navigation: Entra admin center > Protection > Password reset > Authentication methods
- Sign in to the Microsoft Entra admin center
- Navigate to Protection > Password reset
- Click Authentication methods
Configure the following settings:
Number of methods required to reset:
- Recommended: 2 methods
- This requires users to verify identity with two different factors
- More secure than single-method verification
Methods available to users:
| Method | Recommended | Notes |
|---|---|---|
| Mobile app notification | Yes | Most secure, requires Authenticator |
| Mobile app code | Yes | TOTP codes from Authenticator |
| Yes | Useful backup method | |
| Mobile phone (SMS) | Optional | Less secure but widely available |
| Office phone | Optional | For users without mobile phones |
| Security questions | No | Not recommended (answers can be guessed/researched) |
Recommended Configuration:
- Enable: Mobile app notification, Mobile app code, Email, Mobile phone
- Disable: Security questions
- Required methods: 2
- Click Save
Step 3: Configure SSPR Properties
Navigation: Entra admin center > Protection > Password reset > Properties
-
Navigate to Protection > Password reset > Properties
-
Self service password reset enabled:
- None: SSPR disabled for all users
- Selected: SSPR enabled for specific groups (recommended for pilot)
- All: SSPR enabled for all users
For Initial Rollout:
- Select Selected
- Click Select group
- Choose a pilot group (e.g., "SSPR Pilot Users" or "IT Department")
- Click Save
For Full Deployment (after pilot):
- Select All
- Click Save
Step 4: Configure Registration Settings
Navigation: Entra admin center > Protection > Password reset > Registration
- Navigate to Protection > Password reset > Registration
Configure:
Require users to register when signing in:
- Recommended: Yes
- This prompts users to set up security info at next sign-in
Number of days before users are asked to re-confirm their authentication information:
- Recommended: 180 days
- Forces periodic review of security info
- Set to 0 to disable re-confirmation prompts
- Click Save
Step 5: Configure Notifications
Navigation: Entra admin center > Protection > Password reset > Notifications
- Navigate to Protection > Password reset > Notifications
Configure:
Notify users on password resets:
- Recommended: Yes
- Sends email to user when their password is reset
- Helps detect unauthorized password changes
Notify all admins when other admins reset their password:
- Recommended: Yes
- Alerts all Global Admins when any admin password is reset
- Important for detecting compromised admin accounts
- Click Save
Step 6: Configure On-Premises Integration (Hybrid Only)
Navigation: Entra admin center > Protection > Password reset > On-premises integration
- Navigate to Protection > Password reset > On-premises integration
Verify:
- Write back passwords to your on-premises directory: Yes
- Allow users to unlock accounts without resetting their password: Yes (recommended)
If these options are grayed out:
- Password writeback is not configured in Azure AD Connect
- Return to Step 1 to enable password writeback
- Click Save if you made changes
Step 7: Configure Combined Registration (Recommended)
Combined registration allows users to register for both SSPR and MFA in one experience.
Navigation: Entra admin center > Identity > Users > User settings > User feature settings
-
Navigate to Identity > Users > User settings
-
Click Manage user feature settings or User feature settings
-
Under Combined security info registration:
- Select All to enable for everyone (recommended)
- Or select Selected for gradual rollout
-
Click Save
User Experience: Users will be directed to https://aka.ms/mysecurityinfo to manage all their security methods in one place.
Step 8: Test SSPR with Pilot Group
Before rolling out to all users, test with your pilot group:
- Ensure pilot users are in the selected SSPR group
- Have pilot users register their security info at https://aka.ms/mysecurityinfo
- Test password reset:
- User navigates to https://aka.ms/sspr or clicks "Forgot password" on sign-in
- User enters their email address
- User completes CAPTCHA verification
- User verifies identity using registered methods
- User creates new password
Test Scenarios:
- Reset using Authenticator app notification
- Reset using SMS code
- Reset using email
- Unlock account without reset (if enabled)
- Password writeback to on-premises AD (if hybrid)
Step 9: Roll Out to All Users
After successful pilot testing:
- Return to Protection > Password reset > Properties
- Change Self service password reset enabled to All
- Click Save
Send User Communications:
Subject: You Can Now Reset Your Password Yourself!
Dear [Name],
We've enabled Self-Service Password Reset (SSPR), which means you can now
reset your own password without contacting IT support.
If you forget your password:
1. Go to https://aka.ms/sspr (or click "Forgot password" on the sign-in page)
2. Enter your work email address
3. Complete the security verification
4. Create your new password
Before you can use SSPR, make sure your security info is up to date:
1. Go to https://aka.ms/mysecurityinfo
2. Sign in with your work account
3. Ensure you have at least two verification methods registered
This works 24/7, so you can reset your password anytime, even outside business hours.
Need help? Contact IT support at [EMAIL/PHONE].
[IT Team]
Step 10: Monitor SSPR Usage
Navigation: Entra admin center > Protection > Password reset > Usage & insights
Monitor adoption and troubleshoot issues:
- Navigate to Protection > Password reset
- Click Usage & insights or Audit logs
Key Metrics to Track:
| Metric | What It Indicates |
|---|---|
| Registrations | Users setting up security info |
| Resets | Successful password resets |
| Failures | Issues requiring investigation |
| Unlock only | Account unlocks without reset |
Review Weekly During Rollout:
- Registration rate (goal: 100% of users)
- Reset success rate (should be >95%)
- Top failure reasons
- Help desk ticket reduction
Verification Checklist
After enabling SSPR, verify:
- SSPR is enabled for all users (or selected groups if piloting)
- At least 2 authentication methods are required
- Recommended methods are enabled (Authenticator, Email, SMS)
- Security questions are disabled
- User notification on password reset is enabled
- Admin notification for admin resets is enabled
- Combined registration is enabled
- Password writeback is working (if hybrid)
- Users have been notified about SSPR
- Help desk is prepared for SSPR-related questions
- Usage monitoring is in place
Troubleshooting
"Password reset is not enabled for your organization"
Problem: User sees this message when trying to reset password
Solutions:
- Verify SSPR is enabled (Protection > Password reset > Properties)
- If using "Selected," verify the user is in the enabled group
- Verify the user has the required license (P1/P2)
- Check if the user is a guest (guests may need separate configuration)
"You are not registered for self-service password reset"
Problem: User has not registered authentication methods
Solutions:
- Direct user to https://aka.ms/mysecurityinfo
- Have them add at least 2 verification methods
- Enable "Require users to register when signing in" to prompt registration
- Send communications with registration instructions
Password Reset Succeeds but On-Premises Password Not Updated
Problem: User can sign in to cloud apps but not on-premises/VPN
Solutions:
- Verify password writeback is enabled in Azure AD Connect
- Check Azure AD Connect sync status is healthy
- Verify the user account is synced (not cloud-only)
- Check Azure AD Connect service is running on the sync server
- Review event logs on Azure AD Connect server for errors
User Receives "We couldn't verify your account"
Problem: Verification methods are not matching
Solutions:
- Have user verify their security info at https://aka.ms/mysecurityinfo
- Ensure phone numbers include country code
- Verify email addresses are correct and accessible
- If using Authenticator, have user remove and re-add account
Administrator Cannot Reset User Password
Problem: Admin sees "Insufficient privileges" or similar error
Solutions:
- Verify admin has User Administrator or Helpdesk Administrator role
- Note: Helpdesk Admins cannot reset passwords for Global Admins
- For admin password resets, use an account with higher privileges
- Check if the user account is protected by Administrative Units
SSPR Not Working for Synchronized Users
Problem: Reset works for cloud users but fails for synced users
Solutions:
- Verify Azure AD Connect password writeback is enabled
- Check that the AD DS account has proper permissions
- Verify AD DS account password has not expired
- Test with:
Get-ADSyncScheduleron the sync server - Check event logs: Applications and Services > Azure AD Connect
Cost Considerations
Licensing Costs
| Scenario | License Required | Cost |
|---|---|---|
| SSPR for cloud users | Entra ID P1 | ~$6/user/month |
| SSPR with password writeback | Entra ID P1 | ~$6/user/month |
| Already have M365 Business Premium | Included | $0 additional |
| Already have E3/E5 | Check if P1 included | May be $0 |
Return on Investment
Help Desk Cost Savings:
| Metric | Typical Value |
|---|---|
| Password reset calls before SSPR | 20-50% of all tickets |
| Average time per reset call | 10-15 minutes |
| Help desk cost per minute | $0.50-1.50 |
| Cost per password reset | $5-22 |
Example Calculation (500 users):
- 50 password resets/month x $15/reset = $750/month before SSPR
- SSPR license cost: 500 x $6 = $3,000/month
- But SSPR is often bundled with other needed features
Productivity Savings:
- Users don't wait for help desk (saves 30 min to 2 hours per incident)
- Password resets available 24/7
- Reduced frustration and interruption
Implementation Costs
| Item | Estimate |
|---|---|
| IT time for configuration | 4-8 hours |
| User communication | 2-4 hours |
| Pilot program | 1 week of monitoring |
| Full rollout | 2 weeks of monitoring |
| Training materials (optional) | 4-8 hours |
Related Controls
- ID-01: MFA Registration - SSPR and MFA share security info registration
- ID-04: Passwordless Authentication - Alternative to passwords entirely
- GOV-01: Stale Accounts - SSPR helps keep accounts active