![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 25%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAP%3C/text%3E%3C/svg%3E)
25,128 questions
Hi @anh pham • Thank you for reaching out.
Self-service password reset is enabled for Administrators by default, even when you have not enabled SSPR in your tenant. Administrators can reset their password after performing two-gate authentication. The two-gate policy requires two pieces of authentication data, such as an email address, authenticator app, or a phone number. A two-gate policy applies to users with below roles:
Application administrator
Application proxy service administrator
Authentication administrator
Azure AD Joined Device Local Administrator
Billing administrator
Compliance administrator
Device administrators
Directory synchronization accounts
Directory writers
Dynamics 365 administrator
Exchange administrator
Global administrator or company administrator
Helpdesk administrator
Intune administrator
Mailbox Administrator
Partner Tier1 Support
Partner Tier2 Support
Password administrator
Power BI service administrator
Privileged Authentication administrator
Privileged role administrator
SharePoint administrator
Security administrator
Service support administrator
Skype for Business administrator
User administrator
Read more: Administrator reset policy differences
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.