Share via

Secure password reset method for the Admin users

EnterpriseArchitect 6,366 Reputation points
2025-10-02T02:23:11.8833333+00:00

After disabling Self-Service Password Reset for the Admin user using https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy?wt.mc_id=MVP_452337&tabs=ms-powershell#administrator-reset-policy-differences, the normal user can still reset their own password, but not the user with any privileged roles.

 

However, the Service Desk Team that performs password resets, as well as anyone involved in the process, may also be susceptible to Social Engineering attacks.

What are the additional layers of protection or the risk when disabling the above features?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marcin Policht 90,725 Reputation points MVP Volunteer Moderator
    2025-10-02T11:56:57.7+00:00

    To mitigate the risks, consider the following:

    For privileged roles (admins, global admins, etc.):

    • Use Privileged Identity Management (PIM): Require just-in-time (JIT) activation of privileged roles, with MFA enforced at activation.
    • Require strong MFA always: Password reset alone should not be enough; always require MFA and preferably phishing-resistant MFA (FIDO2, Windows Hello for Business, certificate-based auth).
    • Break-glass accounts: Maintain at least two emergency access accounts excluded from Conditional Access/MFA that are tightly monitored and only used in emergencies.
    • Passwordless authentication: Adopt passwordless methods (FIDO2 keys, WHfB) to reduce reliance on password resets entirely.

    For Service Desk and support staff:

    • Role-based access control: Grant the minimum necessary rights (e.g., use specific "Password Administrator" role, not Global Admin).
    • MFA enforcement: Service Desk accounts must use MFA for every login and ideally use conditional access policies (e.g., restrict to corporate networks or compliant devices).
    • Strong processes and verification: Train staff on identity verification procedures (never reset passwords on the basis of just an email or phone call).
    • Privileged access workstation (PAW): Require admins and service desk staff to use hardened, dedicated devices for privileged actions.
    • Auditing & alerts: Log and monitor password reset activity. Use Microsoft Sentinel or Entra ID audit logs to detect suspicious reset patterns.

    If Service Desk is well-protected (MFA, process, auditing, RBAC), this risk can be mitigated. If not, attackers will exploit them as the "weakest link". The bottom line is that the protection level is only as strong as your Service Desk’s identity assurance process.

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.