Exercise - Set up self-service password reset

  • 10 minutes

In this unit, you'll configure and test self-service password reset (SSPR) by using your mobile phone. You'll need to use your mobile phone to complete the password-reset process in this exercise.

Create a Microsoft Entra organization

For this step, you'll want to create a new directory and sign up for trial Premium subscription for Microsoft Entra ID.

  1. Sign in to the Azure portal.

  2. Select Create a resource > Identity > Microsoft Entra ID.

    Screenshot that shows Microsoft Entra ID in the Azure Marketplace.

  3. Select Microsoft Entra ID, then select Next : Configuration.

  4. On the Create tenant page, use these values, select Review + Create, then select Create.

    Property Value
    Organization name Choose any organization name.
    Initial domain name Choose a domain name that's unique within .onmicrosoft.com. Make a note of the domain you choose.
    Country or region United States.

  5. Complete the captcha, then select Submit.

  6. After you create the organization, select the F5 key to refresh the page. In the upper-right corner, select your user account, then select Switch directory.

  7. Select the organization you just created.

Create a Microsoft Entra ID P2 trial subscription

Now activate a trial Premium subscription for the organization so that you can test SSPR.

  1. Go to Microsoft Entra ID > Password reset.
  2. Select Get a free Premium trial to use this feature.
  3. Under Microsoft Entra ID P2, expand Free trial, and select Activate.
  4. Refresh the browser to see the Password reset - Properties page. You might need to refresh a few times.

Create a group

You want to roll out SSPR to a limited set of users first to make sure your SSPR configuration works as expected. Let's begin by creating a security group for the limited rollout.

  1. In the Microsoft Entra organization you created, under Manage, select Groups.

  2. Select New Group.

  3. Enter the following values:

    Setting Value
    Group type Security
    Group name SSPRTesters
    Group description Members are testing the rollout of SSPR
    Membership type Assigned

  4. Select Create.

    Screenshot that shows new group form filled out and the create button highlighted.

Create a user account

To test your configuration, create an account that's not associated with an administrator role. You'll also assign the account to the group you created.

  1. In your Microsoft Entra organization, under Manage, select Users.

  2. Select + New user, select Create new user in the drop-down, and use the following values:

    Setting Value
    User name balas
    Name Bala Sandhu
    Password Select the Copy icon next to the autogenerated password, then paste the password to a text editor like Notepad.

  3. Select the Assignments tab.

  4. Select Add group, check the box for the SSPRTesters group, then select the Select button.

  5. Select Review + create, then select Create.

Enable SSPR

Now, you're ready to enable SSPR for the group.

  1. In your Microsoft Entra organization, under Manage, select Password reset.

  2. If the Password reset page still displays the message Get a free Premium trial to use this feature, wait for a few minutes and then refresh the page.

  3. On the Properties page, select Selected. Select the No groups selected link, select the box next to the SSPRTesters group, and then select the Select button.

  4. Select Save.

    Screenshot of the Password Reset properties panel wwith SSPR enabled and selected group set to SSPRTesters.

  5. Under Manage, select the Authentication methods, Registration, and Notifications pages to review the default values.

  6. Select Customization.

  7. Select Yes, and then in the Custom helpdesk email or URL text box, enter admin@organization-domain-name.onmicrosoft.com. Replace "organization-domain-name" with the domain name of the Microsoft Entra organization you created. If you've forgotten the domain name, hover over your profile in the upper-right corner of the Azure portal.

  8. Select Save.

Register for SSPR

Now that the SSPR configuration is complete, register a mobile phone number for the user you created.

Note

If you get a message that says "The administrator has not enabled this feature," use private/incognito mode in your web browser.

  1. In a new browser window, go to https://aka.ms/ssprsetup.

  2. Sign in with the user name balas@organization-domain-name.onmicrosoft.com and the password that you noted earlier. Remember to replace "organization-domain-name" with the domain name of the Microsoft Entra organization you created.

  3. If you're asked to update your password, enter a new password of your choice. Make sure you note the new password.

  4. Select the Security info tab on the left, then select + Add sign-in method.

  5. In the Add a method box, select Phone.

  6. Enter your mobile phone details.

    Screenshot that shows mobile phone registration form for SSPR.

  7. Select the Text me a code radio button, then select Next.

  8. When you receive the code on your mobile phone, enter the code in the text box and select Next.

  9. Select Done.

Test SSPR

Now, let's test whether the user can reset their password.

  1. In a new browser window, go to https://aka.ms/sspr.

  2. For User ID, type balas@organization-domain-name.onmicrosoft.com. Replace "organization-domain-name" with the domain you used for your Microsoft Entra organization.

    Screenshot that shows the password reset dialog.

  3. Complete the captcha and select Next.

  4. Enter your mobile phone number, then select Text.

  5. When the text arrives, in the Enter your verification code text box, enter the code you were sent. Select Next.

  6. Enter a new password, then select Finish. Make sure you note the new password.

  7. Close the browser window.