Enable self-service password reset

Applies to: White circle with a gray X symbol. Workforce tenants Green circle with a white check mark symbol. External tenants (learn more)

Self-service password reset (SSPR) in Microsoft Entra External ID gives customers the ability to change or reset their password, with no administrator or help desk involvement. If a customer's account is locked or they forget their password, they can follow prompts to unblock themselves and get back to work.

How does the password reset process work?

The self-service password uses the email one-time passcode (Email OTP) authentication. When enabled, customer users who forgot their passwords use Email OTP authentication. With one-time passcode authentication, users verify their identity by entering the one-time passcode sent to their email address, and are then prompted to change their password.

The following screenshots show the self-service password rest flow. From the app, the customer chooses to sign-in. On the sign-in page, the user types their email and selects Next. If users forgot their password, they choose the Forgot password? option. Microsoft Entra ID sends the passcode to email address provided on the first page. The customer needs to type the passcode to continue.

Screenshot that shows the self-service password rest flow.

Tip

Try it now

To try out this feature, go to the Woodgrove Groceries demo and start the “Self-service password reset” use case.

Prerequisites

  • If you haven't already created your own external tenant, create one now.
  • If you haven't already created a User flow, create one now.

Enable self-service password reset for customers

  1. Sign in to the Microsoft Entra admin center.

  2. If you have access to multiple tenants, use the Settings icon in the top menu to switch to the external tenant you created earlier from the Directories + subscriptions menu.

  3. Browse to Identity > External Identities > User flows.

  4. From the list of User flows, select the user flow you want to enable SSPR.

  5. Make sure that the sign-up user flow registers Email with password as an authentication method under Identity providers.

    Screenshot that shows how to enable email authentication.

Enable email one-time passcode

To enable self-service password reset, you need to enable the email one-time passcode (Email OTP) authentication method for all users in your tenant. To ensure that the Email OTP feature is enabled follow the steps below:

  1. Sign in to the Microsoft Entra admin center.

  2. Browse to Identity > Protection > Authentication methods.

  3. Under Policies > Method select Email OTP.

    Screenshot that shows authentication methods.

  4. Under Enable and Target enable Email OTP and select All users under Include.

    Screenshot of enabling OTP.

  5. Select Save.

You can hide, show or customize the self-service password reset link on the sign-in page.

  1. In the search bar, type and select Company Branding.

  2. Under Default sign-in select Edit.

  3. On the Sign-in form tab, scroll to the Self-service password reset section and select Show self-service password reset.

    Screenshot of the company branding Self-service password reset.

  4. Select Review + save and Save on the Review tab.

For more details, check out the Customize the neutral branding in your external tenant article.

Test self-service password reset

To go through the self-service password reset flow:

  1. Open your application, and select Sign-in.

  2. In the sign-in page, enter your Email address and select Next.

    Screenshot that shows the sign-in page.

  3. Select the Forgot password? link.

    Screenshot that shows the forgot password link.

  4. Enter the one-time passcode sent to your email address.

    Screenshot that shows the enter code option.

  5. Once you're authenticated, you're prompted to enter a new password. Provide a New password, and Confirm password, then select Reset password to sign in to your application.

    Screenshot that shows the update password screen.

Next steps