Enable Microsoft Entra Self-Service Password Reset (SSPR)

Self-Service Password Reset (SSPR)

Before you start to implement Self-Service Password Reset (SSPR) for the users, it’s good to know where you need to enable SSPR:

  • Cloud-only tenant: Enable SSPR in Microsoft Entra ID

  • Hybrid deployment: Enable SSPR in Microsoft Entra ID, enable password writeback in Microsoft Entra Connect Sync, and enable password writeback in Microsoft Entra ID

Self-Service Password Reset license requirements

Check which Self-Service Password Reset features are available for your organization license in the table below:

Feature

Microsoft Entra ID Free

Microsoft 365 Business Standard

Microsoft 365 Business Premium

Microsoft Entra ID P1 or P2

Cloud-only user password change When a user in Microsoft Entra ID knows their password and wants to change it to something new.

Cloud-only user password reset When a user in Microsoft Entra ID has forgotten their password and needs to reset it.

Hybrid user password change or reset with on-prem writeback When a user in Microsoft Entra that’s synchronized from an on-premises directory using Microsoft Entra Connect wants to change or reset their password and also write the new password back to on-prem.

How to enable Self-Service Password Reset in cloud-only tenant

To enable Self-Service Password Reset in cloud only tenant, follow the steps below:

  1. Sign in to Microsoft Entra admin center

  2. Expand Identity > Protection > Password reset

  3. Click on Properties

  4. Select All

  5. Click Save

Note: We recommend you enable Self-Service Password Reset for All users. It’s one of the recommendations from the Microsoft Secure Score.

Enable Microsoft Entra Self-Service Password Reset for all users

  1. Click on Authentication methods

  2. Select 2

  3. Click Save

Enable Microsoft Entra Self-Service Password Reset authentication methods

You did successfully configure Self-Service Password Reset for the cloud-only tenant. Remember to test the self-service password reset in the last part in the article.

Do you have a hybrid deployment (on-premises and cloud)? Follow the next step.

How to enable Self-Service Password Reset in Hybrid deployment

To enable Self-Service Password Reset in Hybrid deployment, follow these steps:

1. Enable Self-Service Password Reset in Microsoft Entra ID

Make sure you enable Self-Service Password Reset in Microsoft Entra ID, as shown in the previous step before you proceed further.

2. Enable password writeback in Microsoft Entra Connect Sync

  1. Sign in to Microsoft Entra Connect server

  2. Start the application Azure AD Connect

  3. On the setup wizard welcome screen, click on Configure

Microsoft Entra Connect Sync welcome screen

  1. Click Customize synchronization options

  2. Click Next

Microsoft Entra Connect Sync customize synchronization options

  1. Enter your Microsoft Entra ID global administrator credentials

  2. Click Next

Connect to Microsoft Entra ID

  1. Click a couple of times on Next to go through the wizard till you reach the Optional Features screen

  2. Check the checkbox Password writeback

  3. Click Next

Enable Password writeback in Microsoft Enra Connect Sync

  1. Click Configure

Microsoft Entra Connect Sync ready to configure

  1. The configuration did complete successfully

  2. Click Exit

Microsoft Entra Connect Sync configuration complete

3. Enable password writeback in Microsoft Entra ID

To enable password writeback in Microsoft Entra ID, follow the steps below:

  1. Sign in to Microsoft Entra admin center

  2. Expand Identity > Protection > Password reset

  3. Click on On-premises integration

  4. Select all checkboxes

  5. Click Save

Enable Microsoft Entra password reset for on-premises integration

4. Set minimum password age policy

Password policies in the on-premises AD DS environment may prevent password resets from being correctly processed.

The group policy for Minimum password age must be set to 0 for password writeback to work most efficiently.

  1. Start Group Policy Management Console (gpmc.msc) on the Domain Controller.

  2. Browse to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy.

  3. Double-click on the policy Minimum password age and set it it 0 days.

Enable Microsoft Entra password reset for on-premises minumum password age

  1. Run Command Prompt as administrator and use the gpupdate /force command.

You did successfully configure Self-Service Password Reset for the Hybrid environment.

Test Self-Service Password Reset

After it’s set up, the users can use the link https://aka.ms/ssprsetup to reset their password.

The users can register their authentication methods from the link https://aka.ms/ssprsetup. After it’s set up, they can use the link https://aka.ms/sspr to reset their password.

Enable Microsoft Entra Self-Service Password Reset test

They can also change their password from https://aka.ms/mysecurity, and it will write back to on-premises.

Enable Microsoft Entra Self-Service Password Reset password changed

Read more: Secure MFA and SSPR registration with Conditional Access »

REFERENCES

PreviousDetect Logons Outside of Trusted Locations in Microsoft Entra IDNextHow to Check Who Reset an M365 User’s Password Using Entra ID

Last updated

Was this helpful?