Explore self-service password management
Self-service password reset (SSPR) enables users to reset their own password without requiring intervention by an administrator. SSPR isn't enabled by default. Instead, the Microsoft 365 Administrator must enable SSPR for all users or for specific groups.
To reset a password, users must first authenticate their identity. The following verification methods are available:
- Send email to alternate email address
- Call office phone
- Call mobile phone
- Text mobile phone
- Answer security questions
If users forget their passwords, they can reset them on the Microsoft 365 Sign-in page by selecting the link titled: Can’t access your account?
To reset their passwords, users must first enter their alternate personal information. If they didn't update their profile with this information, they must contact the Microsoft 365 Administrator to reset their password for them. Microsoft Support can't reset forgotten passwords.
Administrators that want to use SSPR must use two verification methods, and they can't use security questions.
Self-service password reset is only available for Microsoft 365 users with cloud identities that have passwords that aren't linked to the on-premises AD DS. This restriction applies because Microsoft 365 can't synchronize a password back to on-premises AD DS without using other synchronization services. This restriction is because SSPR has certain prerequisites and limitations based on the type of user account and its configuration:
- Users with cloud identities that aren't synchronized with an on-premises Active Directory Domain Services (AD DS). For these users, SSPR can be used without any other considerations because their passwords are managed solely in the cloud. As such, when they reset their password using SSPR, it only affects their cloud identity.
- Users with hybrid identities. For these users whose accounts are synchronized with an on-premises AD DS, the password reset process is more complex. If these users change their password in the cloud using SSPR, the new password doesn't automatically sync back to the on-premises AD DS. Why? Because Microsoft Entra ID doesn't have the capability to write back to the on-premises AD DS without the help of a synchronization service such as Microsoft Entra Connect Sync with password writeback enabled. To enable SSPR for hybrid users, organizations must have Microsoft Entra ID Premium licenses and configure Microsoft Entra Connect Sync with password writeback. This design allows the new passwords set by users in the cloud to be synchronized back to the on-premises AD DS, ensuring that the user's identity remains consistent across both environments.
The following graphic shows how a user can do a self-service password reset. Once a user changes their password, Microsoft Entra Connect Sync synchronizes the new password, although it doesn't follow the same scheduler. To reflect this scenario, the graphic shows the blue dotted line with the key passing the same way, but it doesn't end in the bubble. Instead, it goes all the way to the Windows Server AD.
Password writeback
Paid subscriptions for Microsoft 365 store user information in Microsoft Entra Basic. Microsoft Entra Basic is unable to write back a password change from Microsoft Entra ID to on-premises AD DS. Microsoft Entra Premium includes the ability to write back passwords. This feature enables organizations to implement self-service password reset for synchronized identities and federated identities. It also enhances AD DS by providing a portal for password reset.
Additional reading. For more information about SSPR, see Resetting your work or school password.
Knowledge check
Choose the best response for the following question. Then select “Check your answers.”