Use SSPR for on-prem synced AAD guest accounts

Dmitry Maystrenko 20 Reputation points
2023-10-12T08:35:31.5866667+00:00

Hi everyone. We create our business partners account in on-prem Active Directory and then they synced to Azure AD as Guest accounts. Guests login in with our domain UPNs (guest@ourdomain.com) using password synced from our on-prem AD.
My question is the following:
Is there a way to make SSPR working for such on-prem synced Guest accounts?

I specify guest@ourdommain.com as UPN in SSPR, and it could even detect if this account is disabled or active in our AAD, but couldn't reset the password.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,852 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Akshay-MSFT 16,511 Reputation points Microsoft Employee
    2023-10-18T10:57:56.6466667+00:00

    @Dmitry Maystrenko

    Thank you for posting your query on Microsoft Q&A, from above description I could understand that you have a guest account which is synced from on-prem to Entra ID and you would like to enable SSPR for such accounts.

    Kindly confirm if this is not the case by responding in the comments section

    On-prem AD isn't synced to Azure AD as Guest and those users would be synced as regular user and it's as per design. SSPR would work and could be setup by following: Enable Microsoft Entra self-service password reset writeback to an on-premises environment. This would:

    • Configure the required permissions for password writeback
    • Enable the password writeback option in Microsoft Entra Connect
    • Enable password writeback in Microsoft Entra SSPR

    However if you plan to invite the user as Guest to AAD then, as per Password reset for B2B users

    Password reset and change are fully supported on all business-to-business (B2B) configurations. B2B user password reset is supported in the following three cases:

    • Users from a partner organization with an existing Microsoft Entra tenant
    • Users who sign up through self-service sign-up
    • B2B users: Any new B2B users created by using the new Microsoft Entra B2B capabilities

    However, Microsoft accounts that have been granted guest access to your Microsoft Entra tenant, such as those from Hotmail.com, Outlook.com, or other personal email addresses, aren't able to use Microsoft Entra SSPR. They need to reset their password by using the information found in the When you can't sign in to your Microsoft account article.

    Thanks,

    Akshay Kaushik

    Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.

    0 comments No comments