Cuir in eagar

Comhroinn trí


Reporting options for Microsoft Entra password management

After deployment, many organizations want to know how or if self-service password reset (SSPR) is really being used. The reporting feature that Microsoft Entra ID provides helps you answer questions by using prebuilt reports. If you're appropriately licensed, you can also create custom queries.

Reporting on SSPR using the audit logs in Microsoft Entra ID

The following questions can be answered by the reports that exist in the Microsoft Entra admin center:

Note

You must opt-in for this data to be gathered on behalf of your organization. To opt in, you must visit the Reporting tab or the audit logs at least once. Until then, data is not collected for your organization.

  • How many people have registered for password reset?
  • Who has registered for password reset?
  • What data are people registering?
  • How many people reset their passwords in the last seven days?
  • What are the most common methods that users or admins use to reset their passwords?
  • What are common problems users or admins face when attempting to use password reset?
  • What admins are resetting their own passwords frequently?
  • Is there any suspicious activity going on with password reset?

How to view password management reports

Tip

Steps in this article might vary slightly based on the portal you start from.

Use the following the steps to find the password reset and password reset registration events:

  1. Sign in to the Microsoft Entra admin center as at least a Reports Reader.
  2. Browse to Identity > Users.
  3. Select Audit Logs from the Users blade. This shows you all of the audit events that occurred against all the users in your directory. You can filter this view to see all the password-related events.
  4. From the Filter menu at the top of the pane, select the Service drop-down list, and change it to the Self-service Password Management service type.
  5. Optionally, further filter the list by choosing the specific Activity you're interested in.

Combined registration

Combined registration security information registration and management events can be found in the audit logs under Security > Authentication Methods.

Description of the report columns

The following list explains each of the report columns in detail:

  • User: The user who attempted a password reset registration operation.
  • Role: The role of the user in the directory.
  • Date and Time: The date and time of the attempt.
  • Data Registered: The authentication data that the user provided during password reset registration.

Description of the report values

The following table describes the different values that are you can set for each column:

Column Permitted values and their meanings
Data registered Alternate email: The user used an alternate email or authentication email to authenticate.

Office phone: The user used an office phone to authenticate.

Mobile phone: The user used a mobile phone or authentication phone to authenticate.

Security questions: The user used security questions to authenticate.

Any combination of the previous methods, for example, alternate email + mobile phone: Occurs when a two-gate policy is specified and shows which two methods the user used to authentication their password reset request.

Self-Service Password Management activity types

The following activity types appear in the Self-Service Password Management audit event category:

Activity type: Blocked from self-service password reset

The following list explains this activity in detail:

  • Activity description: Indicates that a user tried to reset a password, use a specific gate, or validate a phone number more than five total times in 24 hours.
  • Activity actor: The user who was throttled from performing additional reset operations. The user can be an end user or an administrator.
  • Activity target: The user who was throttled from performing additional reset operations. The user can be an end user or an administrator.
  • Activity status:
    • Success: Indicates that a user was throttled from performing any additional resets, attempting any additional authentication methods, or validating any additional phone numbers for the next 24 hours.
  • Activity status failure reason: Not applicable.

Activity type: Change password (self-service)

The following list explains this activity in detail:

  • Activity description: Indicates that a user performed a voluntary, or forced (due to expiry) password change.
  • Activity actor: The user who changed their password. The user can be an end user or an administrator.
  • Activity target: The user who changed their password. The user can be an end user or an administrator.
  • Activity statuses:
    • Success: Indicates that a user successfully changed their password.
    • Failure: Indicates that a user failed to change their password. You can select the row to see the Activity status reason category to learn more about why the failure occurred.
  • Activity status failure reason:
    • FuzzyPolicyViolationInvalidPassword: The user selected a password that was automatically banned because the Microsoft Banned Password Detection capabilities found it to be too common or especially weak.

Activity type: Reset password (by admin)

The following list explains this activity in detail:

  • Activity description: Indicates that an administrator performed a password reset on behalf of a user.
  • Activity actor: The administrator who performed the password reset on behalf of another end user or administrator. Must be a password administrator, user administrator, or helpdesk administrator.
  • Activity target: The user whose password was reset. The user can be an end user or a different administrator.
  • Activity statuses:
    • Success: Indicates that an admin successfully reset a user's password.
    • Failure: Indicates that an admin failed to change a user's password. You can select the row to see the Activity status reason category to learn more about why the failure occurred.
  • Activity additional details OnPremisesAgent:
    • None: Indicates cloud-only reset.
    • Microsoft Entra Connect: Indicates password was reset on-premises via Microsoft Entra Connect writeback agent.
    • CloudSync: Indicates password was reset on-premises via Microsoft Entra CloudSync writeback agent.

Activity type: Reset password (self-service)

The following list explains this activity in detail:

  • Activity description: Indicates that a user successfully reset their password from Microsoft Entra password reset.
  • Activity actor: The user who reset their password. The user can be an end user or an administrator.
  • Activity target: The user who reset their password. The user can be an end user or an administrator.
  • Activity statuses:
    • Success: Indicates that a user successfully reset their own password.
    • Failure: Indicates that a user failed to reset their own password. You can select the row to see the Activity status reason category to learn more about why the failure occurred.
  • Activity status failure reason:
    • FuzzyPolicyViolationInvalidPassword: The admin selected a password that was automatically banned because the Microsoft Banned Password Detection capabilities found it to be too common or especially weak.

Activity type: Self serve password reset flow activity progress

The following list explains this activity in detail:

  • Activity description: Indicates each specific step a user proceeds through (such as passing a specific password reset authentication gate) as part of the password reset process.
  • Activity actor: The user who performed part of the password reset flow. The user can be an end user or an administrator.
  • Activity target: The user who performed part of the password reset flow. The user can be an end user or an administrator.
  • Activity statuses:
    • Success: Indicates that a user successfully completed a specific step of the password reset flow.
    • Failure: Indicates that a specific step of the password reset flow failed. You can select the row to see the Activity status reason category to learn more about why the failure occurred.
  • Activity status reasons: See the following table for all the permissible reset activity status reasons.

Activity type: Unlock a user account (self-service)

The following list explains this activity in detail:

  • Activity description: Indicates that a user successfully unlocked their Active Directory account without resetting their password from Microsoft Entra password reset by using the Active Directory feature of account unlock without reset.
  • Activity actor: The user who unlocked their account without resetting their password. The user can be an end user or an administrator.
  • Activity target: The user who unlocked their account without resetting their password. The user can be an end user or an administrator.
  • Allowed activity statuses:
    • Success: Indicates that a user successfully unlocked their own account.
    • Failure: Indicates that a user failed to unlock their account. You can select the row to see the Activity status reason category to learn more about why the failure occurred.

Activity type: User registered for self-service password reset

The following list explains this activity in detail:

  • Activity description: Indicates that a user has registered all the required information to be able to reset their password in accordance with the currently specified tenant password reset policy.
  • Activity actor: The user who registered for password reset. The user can be an end user or an administrator.
  • Activity target: The user who registered for password reset. The user can be an end user or an administrator.
  • Allowed activity statuses:
    • Success: Indicates that a user successfully registered for password reset in accordance with the current policy.

    • Failure: Indicates that a user failed to register for password reset. You can select the row to see the Activity status reason category to learn more about why the failure occurred.

      Note

      Failure doesn't mean a user is unable to reset their own password. It means that they didn't finish the registration process. If there is unverified data on their account that's correct, such as a phone number that's not validated, even though they have not verified this phone number, they can still use it to reset their password.

Next steps