Exercise - Set up self-service password reset

  • 10 minutes

In this unit, you'll configure and test self-service password reset (SSPR) by using your mobile phone. You'll need to use your mobile phone to complete the password-reset process in this exercise.

Create an Azure AD organization

For this step, you'll want to create a new directory and sign up for trial Premium subscription for Azure AD.

  1. Sign in to the Azure portal.

  2. Select Create a resource > Identity > Azure Active Directory.

    Screenshot that shows Azure Active Directory in the Azure Marketplace.

  3. Select Azure Active Directory, then select Next : Configuration.

  4. On the Create tenant page, use these values, select Review + Create, then select Create.

    Property Value
    Organization name Choose any organization name.
    Initial domain name Choose a domain name that's unique within .onmicrosoft.com. Make a note of the domain you choose.
    Country or region United States.

  5. Complete the captcha, then select Submit.

  6. After you create the organization, select the F5 key to refresh the page. In the upper-right corner, select your user account. Then select Switch directory.

  7. Select the organization you just created.

Create an Azure AD Premium P2 trial subscription

Now activate a trial Premium subscription for the organization so that you can test SSPR.

  1. Go to Azure Active Directory > Password reset.
  2. Select Get a free Premium trial to use this feature.
  3. Under AZURE AD PREMIUM P2, expand Free trial and then select Activate.
  4. Refresh the browser to see the Password reset - Properties page.

Create a group

You want to roll out SSPR to a limited set of users first to make sure your SSPR configuration works as expected. Let's begin by creating a security group for the limited rollout.

  1. In the Azure AD organization you created, under Manage, select Groups.

  2. Select + New Group.

  3. Enter the following values:

    Setting Value
    Group type Security
    Group name SSPRTesters
    Group description Testers of SSPR rollout
    Membership type Assigned

  4. Select Create.

    Screenshot that shows new group form filled out and the create button highlighted.

Create a user account

To test your configuration, create an account that's not associated with an administrator role. You'll also assign the account to the group you created.

  1. In your Azure AD organization, under Manage, select Users.

  2. Select + New user, select Create new user in the drop-down, and use the following values:

    Setting Value
    User name balas
    Name Bala Sandhu
    Password Select Show Password, and make a note of the password.
    Groups Select the 0 groups selected link, then select SSPRTesters and click Select.

  3. Select Create.

Enable SSPR

Now you're ready to enable SSPR for the group.

  1. In your Azure AD organization, under Manage, select Password reset.

  2. If the Password reset page still displays the message Get a free Premium trial to use this feature, wait for a few minutes and then refresh the page.

  3. On the Properties page, select Selected. Select the No groups selected link, select the SSPRTesters group, and then select Save.

    Screenshot of the Password Reset properties panel wwith SSPR enabled and selected group set to SSPRTesters.

  4. Under Manage, select the Authentication methods, Registration, and Notifications pages to review the default values.

  5. Select Customization.

  6. Select Yes, and then in the Custom helpdesk email or URL text box, enter admin@organization-domain-name.onmicrosoft.com. Replace "organization-domain-name" with the domain name of the Azure AD organization you created. If you've forgotten the domain name, hover over your profile in the upper-right corner of the Azure portal.

  7. Select Save.

Register for SSPR

Now that the SSPR configuration is complete, register a mobile phone number for the user you created.

Note

If you get the message: The administrator has not enabled this feature. Use private/incognito mode in your web browser.

  1. In a new browser window, go to https://aka.ms/ssprsetup.

  2. Sign in with the user name balas@organization-domain-name.onmicrosoft.com and the password that you noted earlier.

  3. If you're asked to update your password, enter a new password of your choice. Make sure you note the new password.

  4. Next to Authentication phone is not configured, select Set it up now.

  5. Enter your mobile phone details.

    Screenshot that shows mobile phone registration form for SSPR.

  6. Select text me.

  7. When you receive the code on your mobile phone, enter the code in the text box.

  8. Select verify, and then select finish.

Test SSPR

Now let's test whether the user can reset their password.

  1. In a new browser window, go to https://aka.ms/sspr.

  2. For User ID, type balas@organization-domain-name.onmicrosoft.com. Replace "organization-domain-name" with the domain you used for your Azure AD organization.

    Screenshot that shows the password reset dialog.

  3. Complete the captcha, and then select Next.

  4. Enter your mobile phone number, and then select Text.

  5. When the text arrives, in the Enter your verification code text box, enter the code you were sent. Select Next.

  6. Enter a new password, and then select Finish. Make sure you note the new password.

  7. Sign out of the account.