Exercise configure and deploy self-service password reset
Microsoft Entra self-service password reset (SSPR) gives users the ability to change or reset their password, with no administrator or helpdesk involvement. If a user's account is locked or they forget their password, they can follow prompts to unblock themselves and get back to work. This ability reduces help desk calls and loss of productivity when a user can't sign in to their device or an application.
Benefits of self-service password reset
There are many benefits for the user and the organization to enabling self-service password reset:
- Users can reset their own password - no productivity loss
- No admin or IT intervention - enables IT to focus on bigger issues
Licensing requirements:
- Cloud based accounts - A user has to be enrolled into self-service password reset, and that a Microsoft Entra ID Premium P1 or P2 license or a Microsoft 365 Business Standard license is required.
- On-premises accounts - A user has to be enrolled into self-service password reset, and that a Microsoft Entra ID Premium P1 or P2 license or a Microsoft 365 Business Premium license.
Enable self-service password reset
Basic steps to enable self-service password reset:
- Sign in to the Azure portal using an account with global administrator permissions.
- Search for and select Microsoft Entra ID, then select Password reset from the menu on the left side.
- From the Properties page, under the option Self-service password reset, select Select group
- Browse for and select your Microsoft Entra group, like SSPR-Test-Group, then choose Select.
- To enable SSPR for the chosen group, select Save.
Add a new user
Create a user account that will be added to a security group.
In the Microsoft Entra organization you created, under Manage, select Users then select New User.
The User pane now appears. Enter the following values:
- User name: MonicaT
- Name: Monica Thompson
Select Show Password and then copy it somewhere to reference it later.
Select Create.
Create a group
You want to roll out SSPR to a limited set of users first to make sure your SSPR configuration works as expected. Let's create a security group for the limited rollout and add a user to the group.
Sign in to the Microsoft Entra admin center using a Global administrator account.
Open the portal menu and then select Identity.
On the Identity menu, select Groups, then select + New Group.
Create a new group using the following information:
Setting Value Group type Security Group name SSPRTesters Group description Testers of SSPR rollout Membership type Assigned Members Monica Thompson Select Create.
Enable self-service password reset
Enable SSPR for the group.
Browse back to the Microsoft Entra admin center screen.
Under Protection, select Password reset.
Important
If the Password reset page still displays the message Get a free Premium trial to use this feature, wait for a few minutes and then refresh the page.
On the Password reset dialog Properties page, under Self-service password reset enabled, select Selected.
Select Select group.
In the Default password reset policy pane, select the SSPRTesters group.
On the Password reset dialog, Properties page, select Save.
Under Manage, select and review the default values for the Authentication methods, Registration, Notifications, and Customization settings.
Register for self-service password reset
Now that the SSPR configuration is complete, register a mobile phone number for the user you created.
Open a different browser or open an InPrivate or Incognito browser session and then browse to https://aka.ms/ssprsetup. This is to ensure you'll be prompted for user authentication.
Sign in as
MonicaT@organization-domain-name.onmicrosoft.com
with the password that you noted earlier. Replace the organization-domain-name with your domain name.When prompted to update your password, enter a new password of your choice. Be sure to record the new password.
In the More information required dialog box, select Next.
On the Keep your account-secure page, user the Phone option or select the I want to set up a different method link.
In this example, you'll use the Phone option. Enter your mobile phone details.
Select Text me a code.
When you receive the code on your mobile phone, enter the code in the text box and then select Next.
After your phone has been registered, select Next and then select Done.
Close the browser. You don't need to complete the sign-in process.
Test self-service password reset
Now let's test whether the user can reset their password.
Open a different browser or open an InPrivate or Incognito browser session and then browse to https://aka.ms/sspr. This is to ensure you well be prompted for user authentication.
In the Email, phone, or Skype box, enter
MonicaT@organization-domain-name.onmicrosoft.com
and then select Next. Replace the organization-domain-name with your domain name.On the Enter password page, select Forgot my password.
On the Get back into your account page, complete the requested information and then select Next.
In the verification step 1 task, select Text my mobile phone or Call my mobile phone, enter your phone number and then select Text.
Enter your verification code and then select Next.
Choose a new password step, enter a password and then confirm your new password.
When complete, select Finish.
Sign in as Monica with the new password you created.
Enter your verification code and then verify you can complete the sign-in process.
When finished, close your browser.