Cloud Security – Azure Active Directory authentication – self-service password reset – Part 2

by Prasham Sabadra · Published June 5, 2020 · Updated June 5, 2020

Azure AD - Self - Service Password Reset

Hi All,

LIFE IS BEAUTIFUL 🙂 I hope we all are safe:) STAY SAFE, STAY HEALTHY 🙂 STAY HOME 🙂

In last article Cloud Security – Azure Active Directory authentication – Part 1 we discussed bit about Azure AD Authentication and Authentication methods.

In this article we will discuss about self-service password reset feature of Azure AD and its importance.

Take Away from this article: Lots of stuff, please read article to understand better.

What is Azure AD Self-Service password reset (SSPR)?
How to enable the AD Self-Service password reset (SSPR) for users
Study material for the exam – AZ-500 : Microsoft Azure Security Technologies

What is Azure AD Self-Service password reset (SSPR)?

SSPR is the way to allow users to change or reset their password without any admin help or help-desk involvement or any service ticket need to create for IT
This helps users to quickly change/reset password in case they forget or account is locked. This improves the productivity of users by getting back to work fast and saves lots of time
SSPR allows to reset expired password as well
Main advantage of SSPR is reduce IT cost by not requiring the IT support
Robust audit logging is available which tracks user activities so Administrator can monitor the respective activities

How to enable self-service password reset?

To enable self-service password reset we need an account with Global Administrator rights
Sign in to Azure portal (portal.azure.com) with an account having Global Administrator rights.

Please have a look at warning on the page as shown in above figure. SSPR requires at least two authentication methods to reset their own password.
There are three options available for Administrators for SSPR
- None – SSPR is disabled for all the users
- Selected –
  - SSPR is enabled for selected groups.
  - This option is useful for testing purpose or for pilot run.

Setting Authentication Method after enabling the SSPR?

As we discussed in last point that SSPR requires at least two authentication methods to reset their own password.
So lets discuss how to setting up authentication methods
From “Password reset” properties page we have an option of “Authentication methods” option as

We are not going to discuss each authentication method in this article, we will discuss those in coming subsequent articles 🙂
Now once we enabled SSPR, when we login to portal we get an popup – asking for additional information as

Click on “Next” button, we will be redirected to password register page if we know the current password.

Please click on “re-enter my password” button as shown in above figure
We will be redirect the page as shown in below figure – Either to enter current password or to reset password with the help of “Forgot my password” as shown in below figure

Here, I’ll go for “Forgot my password” link to verify “Self-Service password reset (SSPR)” option as

Notice the message “Get back into your account” this means it enables me now to reset my own password
Please enter the respective information on the page and click on “Next” button as shown in above figure

Observe the “Verification step 1” – Email. We have selected Authentication method 1 as Email. Please have a look at Fig – “Fig: Azure AD – Azure AD Portal – “Active Directory Menu Blade” page – Password Reset >> Properties >> Enabling SSPR for selected group >> Setting up Authentication methods”
Once you click on “Email” button, you will receive the verification code in your respective email box as