Azure Identity And Access Management Part 9 – Azure Active Directory – Self-Service Password Reset (SSPR)
Hope you all are doing good !!!
In our last article we have discussed on, how to configure Azure AD Registered Device. Today In this article, we will discuss one more important Azure AD Service is Azure Self-Service Password Reset (SSPR).
If you have missed our previous articles on Azure Identity And Access Management (IAM), please check it in following links.
Part 1 – Azure Active Directory – Overview
Part 2 – Azure Active Directory – Enterprise Users
Part 3 – Azure Active Directory – Create Custom Directory Role & Assign Role using Power-Shell
Part 4 – Azure Active Directory – Create Azure AD Extension Attribute Using Power-Shell
Part 5 – Azure Active Directory – Bulk Update of Azure AD User Profile Using PowerShell
Part 6 – Azure Active Directory – Manage Device Identity 1 – Overview
Part 7 – Azure Active Directory – Manage Device Identity 2 – Azure AD Joined
Part 8 – Azure Active Directory – Manage Device Identity 3 – Azure AD Registered
Next Article : Part 10 – Azure Active Directory – Identity Protection
Self-Service Password Reset (SSPR) :
Self-Service Password Reset (SSPR) is an Azure Active Directory (AD) premium feature that enables users to reset their passwords without contacting IT staff for help. The users can quickly unblock themselves and continue working no matter where they are or time of day.
Key Capabilities Of SSPR :
- SSPR allows end users to reset their expired or non-expired passwords without contacting an administrator or helpdesk for support.
- Password management activity reports give administrators insight into password reset and registration activity occurring in their organization.
- It works for both Cloud identity and Synced Identity model.
- Password Write-back allows management of on-premises passwords and resolution of account lockout though the cloud.
- On-premise password policies are applied for every request raised for reset the password.
- Real time synchronous operation through AAD connect.
- Admin resetting the password from Azure portal is supported.
- Doesn’t require any inbound ports to be open.
SSPR Process :
The complete SSPR process is a 3 step process. User need to follow/go-through all the following steps to get them unlock or reset password.
1 . License Assignment
To use Self Service Password Reset ( SSPR) service of Azure AD , all user should have any one of the following license.
- Azure AD Premium P1
- Azure AD Premium P2
- Enterprise Mobility + Security
- Microsoft 365 enterprise
2 . Portal configuration /Enable Password Write-back
Enable Password Write-back :
If our environment configured as a hybrid environment and user objects are synchronizing from On-premise AD to Azure AD, in that case we need to configure/enable Write-Back option of AAD Connector . This is an extra step we are configuring for synced identity model.
Configuration In Azure Portal :
- Sign in to the Azure portal using an account with global administrator permissions.
- Search for and select Azure Active Directory, then choose Password reset from the menu on the left-hand side as shown in the following figure
Enable Self-Service Password Reset :
From the Properties page, under the option Self service password reset enabled, select required group for this process and save the changes as in the following figure. We need to make sure that the users in the group(s) we choose have the appropriate licenses assigned. Nested group is allowed.
Select Authentication Methods :
When SSPR is enabled, users can only reset their password if they have data present in the authentication methods that the administrator has enabled. Methods include phone, Authentication app notification, security questions, etc. Authentication Methods helps to verifying the identity of someone (a user, device, or an entity) who wants to access data, resources, or applications.
- On the Authentication methods page , set the Number of methods required to reset to 1 or 2 . To improve security, we can increase the number of authentication methods required for SSPR.
- Le’s select the Methods available to users that our organization wants to allow. For this tutorial, we kept the default setting and checks Email and mobile phone and click save to save the changes, as shown in the following figure.
- Mobile app notification
- Mobile app code
- Mobile phone
- Office phone
Configure Registration Options :
Contact information is required for every identity for which we are configuring SSPR. An administrator can manually set this contact information, or users can go to a registration portal to provide the information themselves. We can also configure it so that the users will be prompted for registration when they next sign in.
- On the Registration page ,select Yes for Require users to register when signing in.It’s important that contact information is kept up to date. otherwise user may not be able to unlock their account or reset their password.
- We can Set Number of days before users are asked to reconfirm their authentication information . We leave it with it’s default value and click Save button .
Configure Notifications :
There are following two setting need to be set on Notification page and save the changes if there is any change.
- Notify users on password resets : If this option is set to Yes, then users resetting their password receive an email notifying them that their password has been changed.
- Notify all admins when other admins reset their passwords : Selecting Yes on both increases security by ensuring that users are aware when their password is reset. It also ensures that all admins are aware when an admin changes a password.
If users need additional help with the SSPR process, we can customize the link for “Contact your administrator” or link to any custom page from where user can get complete information. Set this option to a common help-desk email address or web page that your users are familiar with.
- On the Customization page , set Customize helpdesk link to Yes.
- In the Custom helpdesk email or URL field, provide an email address or web page URL where your users can get additional help from your organization, such as
On-premises integration :
If we configure, and enable Azure AD Connect, we have the following additional options for on-premises integrations. If these options are grayed out, then writeback has not been properly configured. In my case we hav not configured AAD Connect so there is nothing to configure in our case as shown in the following figure.
In other case, if we have AAD connect enabled/configured and write back password option is also configured then we will have configuration like following figure.
3 . User Registration Process
As per our above configuration, during user’s first login, SSPR will ask user to register and provide required information if user has not registered yet, as shown in the following figure.
In next window, it will ask to validate phone number and Email id as shown in the following figure.
Testing SSPR Configuration :
Now we have done with our all configurations. It is time to test the configuration with one user. Let’s try to login with my test user account ‘ Uday@manasmoharanagmail.onmicrosoft.com‘ for whom Admin has enabled SSPR.
To reset the password click ‘Forgot my Password’ and prove that, you are not a robot or a process as shown in the following figure.
Follow the verification steps specified in the following window to reset the password.
When complete, we should receive an e-mail notification to inform about the password reset.
Testing with Test User :
In the above section, we have tested with a test user , for whom admin has enabled SSPR service. Now we will test with a second test user ( Ashok@manasmoharanagmail.onmicrosoft.com) for which admin has not enabled SSPR service. Let’s see how will it behave.
Also we will use special links to register the user and reset the password . Find the following two link for the same.
- https://aka.ms/ssprsetup : For a manual registration process, open a new browser window in InPrivate or incognito mode, and browse the link.
- https://aka.ms/sspr : If you’re an end user already registered for self-service password reset and need to get back into your account to reset the password.
Register User :
Let’s use https://aka.ms/ssprsetup link to register the user. As in the following figure , we can see the clear messaging that, admin has not enabled the user to register.
Reset Password For User :
Let’s use https://aka.ms/sspr link to reset password for the user. As in the following figure , we can see the clear message as admin has not turn on SSPR for the user.
Enable SSPR For User :
Enable the SSPR for the user by adding the user to same group, for which SSPR already enabled.
Now SSPR is enabled for the user but still not able to reset the password because, the user has not registered yet as showing in the following figure.
Registering User After SSPR Enabled :
As we can see in the following figure user has successfully registered after SSPR enabled.
Reset Password After Register the User :
After successfully register, user is trying to reset the password as we can see in the following figure.
After successfully reset the password user got notification in his mail as shown in the following figure.
NOTE : Microsoft enforces a strong default two-gate password reset policy for any Azure administrator role. This policy may be different from the one we have defined for our users, and this policy can’t be changed. We should always test password reset functionality as a user without any Azure administrator roles assigned.
I hope all these posts, helps you to get some basic ideas on managing Azure Active Directory. Please let us know if we missed/skipped any important point. In our next article we will continue one more feature of Azure AD.
Next Article : Part 10 – Azure Active Directory – Identity Protection
If you have any suggestion / feedback / doubt, you are most welcome. Stay tuned on Knowledge-Junction, will come up with more such articles.
Thanks for reading 🙂 .
I have doubt here when ever i enable password writeback and sspr for on prem users local ad policy will come into effect how about the password expiration policy