How to enable/disable the account.activedirectory.windowsazure.com SSPR?

Question

Hello everyone,

To clarify the question, much like the question asked over there, I am wondering about the SSPR from the two options:

• https://account.activedirectory.windowsazure.com/ChangePassword.aspx
• https://passwordreset.microsoftonline.com/

I am aware as to how to activate Entra SSPR (the second link), but not at all how to do so for the first one. On my tenant, Entra SSPR is disactivated, and users can't do SSP when logged out, so this part I understand. But users can still do SSPR when logged in with the first link.

Now, my questions would be:

• How is this service activated/desactivated?
• How to configure it?
• What service supports it? (I assume it is somehow connected to Azure AD Connect?)

Many thanks! :)

Answer 1

Your question concerns the differences in configuration and management between two Self-Service Password Reset (SSPR) options in Azure AD:

1. https://account.activedirectory.windowsazure.com/ChangePassword.aspx
2. https://passwordreset.microsoftonline.com/

The first link is typically used for changing passwords within Azure AD when a user is already authenticated (logged in), whereas the second link is for the Azure AD SSPR feature that allows users to reset their passwords when they are not authenticated (logged out).

Understanding the Two SSPR Options

1. ChangePassword.aspx:
   • This service is part of Azure AD and allows authenticated users to change their password.
   • It's typically available to users by default as part of their Azure AD profile management.
2. PasswordReset.MicrosoftOnline.com (Entra SSPR):
   • This is the Azure AD SSPR service used for unauthenticated password resets.
   • It needs to be activated and configured in Azure AD.

How to Activate/Deactivate and Configure

1. For ChangePassword.aspx:
   • This service is generally available to all users who are logged in and is not separately activated or deactivated.
   • If users can access this link while logged in, it means they have the necessary permissions to change their password.
2. For Entra SSPR:
   • Activation/Deactivation:
     • Go to Azure Portal → Azure Active Directory → Password reset.
     • Here, you can enable or disable SSPR for your organization.
   • Configuration:
     • In the same Password reset menu, configure authentication methods, registration requirements, etc.

Service Support and Connection to Azure AD Connect

• Azure AD Connect:
  • Azure AD Connect syncs on-premises AD with Azure AD. It ensures that password policies and other settings are consistent across both environments.
  • While Azure AD Connect plays a role in syncing password changes, the SSPR features are primarily managed within Azure AD.
  • It’s crucial to have Azure AD Connect correctly configured for a seamless password management experience, especially in hybrid environments.

Additional Points

• User Permissions: Ensure that user permissions and group policies in Azure AD do not inadvertently restrict access to these features.
• Documentation and Support:
  • For detailed configuration guides, refer to the Azure AD SSPR documentation.
  • If there are specific configurations or behaviors that are unclear, consider reaching out to Azure support for more tailored assistance.

This delineation between the two links essentially boils down to whether a user is already authenticated or not and what services your organization has enabled and configured in Azure AD.

Accept the answer if the information helped you. This will help us and others in the community as well.