Summary: In this post, we will see how to enable Self Service Password Reset on Azure for Office365 Users and how its managed and synced back to On-Premise Active Directory.
Description: SSPR includes features such as Password Change, reset, Unlock and writeback to on-premise Active Directory.
License Requirement: As we are working with Hybrid User which is synced from On-Premise AD to Azure AD and also have the requirement of On-Prem Writeback therefore Microsoft 365 Business or Azure AD Premium P1 or P2 License needs to be assigned to the user. SSPR is not available in the free edition of Azure AD.
Let’ start from Users Perspective and see how to reset the password before we configure it on Azure side.
There are below methods for users to reset their password via office365. Users can use the option “Can’t Access your Account” link when they are on the Sign In Page or users can use https://passwordreset.microsoftonline.com/ Or https://aka.ms/sspr link to reset their passwords or use OWA (https://outlook.office365.com/owa) -> Click on Myaccount -> Security and privacy -> Password option (if you remember your old password).
Configuration
>> Enable Password Write Back Feature on Azure AD Connect
>> Open Microsoft Azure Portal (https://portal.azure.com) -> Login Using Administrator Rights -> Search Users and Open User Management Page -> Select Password Reset which will open below page. Slide the bar to All or Selected depending upon your requirement. If you will choose Selected, you can select a group which will be enabled for SSPR. Click Authentication methods, Registration and Notification to get the default values and adjust it according to your requirement. Its recommended to have a minimum of 2 authentication methods set for Authentication before allowing the users to reset the password.
>> Confirm if Write Back Feature is Enabled on Azure Portal.
More Information:
- SSPR Registration (for registering a phone number): https://aka.ms/ssprsetup.
- Test SSPR: https://aka.ms/sspr.
- Go to Azure Active Directory -> Company Branding to customize Azure AD Sign-in experience.
