Manage Microsoft Entra users and groups
📘Microsoft Certified: Azure Administrator Associate (AZ-104)
1. What is SSPR?
Self-Service Password Reset (SSPR) is a feature in Microsoft Entra ID that allows users to reset their own passwords or unlock their accounts without contacting IT support.
Key Benefits:
- Reduces helpdesk workload (IT staff don’t have to reset passwords manually).
- Improves security because users can immediately reset compromised passwords.
- Helps users regain access to their accounts quickly, reducing downtime.
In an IT environment, this means if an employee forgets their password, they can verify their identity and reset it themselves.
2. Requirements for SSPR
Before enabling SSPR, you need to ensure:
- Licensing:
- SSPR is available for Azure AD Premium P1 or P2 licenses.
- It’s also partially available in the free tier, but with limited features.
- Authentication Methods:
Users must have at least one authentication method registered to verify their identity. These methods can include:- Mobile phone (SMS or call)
- Security questions (not recommended for high security)
- Microsoft Authenticator app
- User Registration:
- Users must register their authentication methods before they can use SSPR.
- You can enforce registration during first login or via Azure AD conditional access.
3. How to Enable SSPR in Microsoft Entra ID
- Sign in to Microsoft Entra Admin Center.
- Navigate to: Azure Active Directory → Password reset → Properties.
- Set Self-service password reset enabled to:
- None – Disabled
- Selected – Only specific groups can use SSPR
- All – All users can use SSPR
- Click Save.
4. Configure Authentication Methods
- Go to Azure Active Directory → Password reset → Authentication methods.
- Select which methods users can use to reset passwords.
- Configure the number of methods required (minimum 1, recommended 2 for better security).
- Save the settings.
Example Settings for IT Security:
- Require at least 2 verification methods.
- Use mobile app notification + mobile phone SMS.
- Avoid security questions in enterprise environments due to low security.
5. Registration and Notifications
- Users must register their authentication methods in My Profile → Password Reset.
- You can notify users to register via email reminders or Azure AD policies.
6. Password Reset Experience for Users
Once enabled and registered:
- User goes to the password reset page: https://passwordreset.microsoftonline.com/
- User enters their username.
- SSPR verifies identity using registered methods.
- User resets password and can log in immediately.
IT administrators can track these actions via Azure AD logs to monitor usage and detect unusual behavior.
7. Additional SSPR Settings
- Notifications: Admins can receive emails when users reset passwords.
- Password Policies: SSPR respects the organization’s password complexity and expiration rules.
- Audit Logging: All SSPR activity is logged in Azure AD audit logs.
- Custom Messages: You can customize help desk info or messages for users during reset.
8. Security Considerations
- Enforce multi-factor authentication for sensitive accounts.
- Limit SSPR to specific groups if security is a concern.
- Monitor logs for unusual reset activity to detect potential attacks.
9. Tips for the Exam
- Know the steps to enable SSPR in Entra ID.
- Remember authentication methods and minimum number of methods.
- Understand user registration requirement.
- Be aware that audit logs and notifications exist for monitoring.
- Know SSPR reduces helpdesk workload and improves security and availability.
✅ Key Takeaways:
- SSPR allows users to reset passwords without IT support.
- You must enable it in Entra ID and configure authentication methods.
- Users must register before using it.
- Security and monitoring are essential for safe deployment.
