On modern workplaces we use authentication techniques provided by Windows Hello for Business, like biometric and PIN. Due to this, user don’t login with their password all the time. Nowadays Microsoft even recommends to not set any password expiration policies because passwords which expire make users select predictable passwords, composed of sequential words and numbers which are closely related to each other. So, by forcing users to create complex passwords and by making sure that common passwords cannot be used anymore and by using multi-factor authentication techniques we can keep the account more secure.

If users work primarily on their Windows 10 modern workplace and sign-in using their biometric details or PIN, they might forget their password though since it’s never asked. Companies especially see this happening after holidays, where end users returning from their holiday have forgotten their password.

By enabling Self Service Password Reset (SSPR) in your Azure Active Directory you can delegate the task of resetting a password back to the user. This can save you a lot of support calls. The functionality relies on the fact that users have a 2nd authentication factor configured and needs to be setup first by the user before it can be used. SSPR is a functionality which requires at least Azure Active Directory Premium P1 licensing for all users using its functionality.

This blogpost will go through the necessary steps giving you an overview on how to enable it, configure it and use it from both an user and administrator perspective.

Enabling Self Service Password Reset

SSPR can be enabled from the Azure Active Directory admin portal, the settings related to SSPR can be found under the Password Reset section. After enabling the feature for All or a selected set of users (based on Azure AD group). While testing the setup it might be a good idea to enable the functionality for a specific set of users first.

Azure Active Directory admin center 
All services > Insight24 3.V. > Password reset 
Password reset I Properties 
O 
— All 
—pplicstions 
Privllegee Identit._ 
Z•otectio 
Irgightu - Active 
p rcblems 
Authenticstion methods 
Regisæticn 
Notifietions 
Customiztion 
intægryticn 
Audit logs 
Lege & insights 
+ Support 
re guest 
Self 
pus" o rd 
O appt} to end in cæyniztiom Admirg for 
to to Click to —m mare 
* iciE_
Enable Self Service Password Reset

Configuring Self Service Password Reset

You can configure SSPR first without it being enabled, this is handy because you can execute the configuration first, below are the settings you can make:

Authentication Methods

On the authentication methods page you can define the number of alternate methods of identification a user must have to reset their password. This should either be one or two alternate methods.

You can also specify which methods are available for the user, to use when using the SSPR functionality. These methods must be registered first of course, the best way to that that is to use the Security Info section on their My Sign-ins page. You can redirect users using the shorturl: https://aka.ms/setupsecurityinfo

The following methods are available:

  • Mobile App Notification
  • Mobile App code (verification code)
  • Email
  • Mobile Phone
  • Office Phone
  • Security Questions

With Mobile app notification and Mobile app code you must have setup the Mobile app first, this can be done by redirecting your users to either the MFA setup page or by using the Security Info registration page. There are some restrictions when using the Mobile app though.

When you configure the number of alternate methods of identification to “1”, you can only use verification code from the Mobile app and not the Notification option, the option to select Mobile app notification will be greyed out. When this setting is set to “2”, both options can be used. You also cannot select the Authenticator app and only one additional method, in that case you must at least have two additional methods selected. The reason for this restriction has to do with the fact that the old SSPR registration experience, available via https://aka.ms/ssprsetup didn’t provide the option to register for MFA, this is now solved by the new preferred way to setup SSRP (and MFA) by using the Security Info registration page.

Number of meth±s 
must to use or token 
Methods 
v' spp notificstion 
O Gn app at or st 
info yc_lr by fzlQing steps st 
Authentiä&- app visit 
v' spp 
O Gn app at or info st 
info registryt& f7 by folQing steps st 
nfodcc_ usirg Authentiä&- app visit 
Mobile phon 
Offce phone 
questions 
O appt} to end in 'N*niztiom Admirg for 
to to —d_ Click to —m 
AdministæW- *iciæ.
Allowed authentication methods and requirements

If security questions are selected, new options appear in the configuration page, you must specify the amount of questions the user must answer in order to register, and the amount of questions which must be correctly answered in order to be allowed to reset their password.

To specify the security question, the Administrator can either choose to use Predefined questions, or to create new ones. The predefined questions which can be selected are:

  • In what city did you meet your first spouse/partner?
  • In what city did your parents meet?
  • In what city does your nearest sibling live?
  • In what city was your father born?
  • In what city was your first job?
  • In what city was your mother born?
  • What city were you in on New Year’s 2000?
  • What is the last name of your favorite teacher in high school?
  • What is the name of a college you applied to but didn’t attend?
  • What is the name of the place in which you held your first wedding reception?
  • What is your father’s middle name?
  • What is your favorite food?
  • What is your maternal grandmother’s first and last name?
  • What is your mother’s middle name?
  • What is your oldest sibling’s birthday month and year? (e.g. November 1985)
  • What is your oldest sibling’s middle name?
  • What is your paternal grandfather’s first and last name?
  • What is your youngest sibling’s middle name?
  • What school did you attend for sixth grade?
  • What was the first and last name of your childhood best friend?
  • What was the first and last name of your first significant other?
  • What was the last name of your favorite grade school teacher?
  • What was the make and model of your first car or motorcycle?
  • What was the name of the first school you attended?
  • What was the name of the hospital in which you were born?
  • What was the name of the street of your first childhood home?
  • What was the name of your childhood hero?
  • What was the name of your favorite stuffed animal?
  • What was the name of your first pet?
  • What was your childhood nickname?
  • What was your favorite sport in high school?
  • What was your first job?
  • What were the last four digits of your childhood telephone number?
  • When you were young, what did you want to be when you grew up?
  • Who is the most famous person you have ever met?

You can also specify some question questions, like “What’s the name of your favorite user group?”

Select security questions 
X Delete 
In Whyt city first spou*/psr-tner? 
In Whyt city did 
In Whyt city wu your f.ther bam? 
In Whyt city wu your first job? 
What is the list of t"cher- in 
at ßur food? 
at ßur mother's middle 
high 
What's the nyme 
of gmup?
Selected security questions by an admin

Registration

Under registration you can configure if users are required to register their authentication methods when signing in. This setting only applies to end users. Administrators are always enabled for self-service password reset and are required to use two authentication methods to reset their password.

If registration is required, unregistered users are prompted to register their own authentication information when they sign in for the first time. If registration is not required, you’ll have to provide your users with a link to the Security Info registration page set to “No,” or configure some of the settings on the Authentication methods page of the user properties in Azure AD.

Jan Bakker, wrote an interesting article on how to provision some of the authentication methods coming from other systems which you provide to Power Automate which populate the authentication methods using the Graph API.

Check: Prepopulate phone methods for MFA and SSPR using Graph API

You can also specify the interval in days when users are required to re-confirm their authentication information. If this is set to 0 users never have to re-confirm, the maximum value is 730 days.

Notifications

On the notifications page you can specify whether users are notified after their password is reset using the SSPR functionality. The user receives an email on their primary and alternate email address. You can also specify if other admins (global administrators) receive a notification in case one of the administrators changes its password using SSPR.

Customization

On the customization page, you can specify a custom helpdesk email or URL for end users to see. There are quite some scenario’s where SSPR will not work and you might want to provide your end users with information about how to reach out to IT support when needed.

On-Premises Integration

If you are using Azure AD Connect to synchronize your on-premises identities coming from Active Directory to Azure AD you can configure the On-premises integration option.

In order for this to work, you must make sure that password writeback is enabled in the Azure AD connect configuration.

Azure AD connect Password writeback configuration

You must also make sure that the on-premises account used for Azure AD connect, has enough rights on the user objects to perform the password reset/unlock of the account. If you used “defaults” during the configuration of Azure AD Connect the MSOL_<random number> account already has the necessary rights. If you decided to use a pre-created account you must verify if this account has the necessary rights. See: Configure account permissions for Azure AD Connect on how to configure the AD account with just enough rights to perform password resets on behalf of the user.

Reporting on SSPR usage

Once SSPR is setup and in use, you can use the Usage & insights page to view some statistics about the registration and usage within your organization. 

Registration usage 
Last refreshed: 1/22/2021 114928 AM a 
Users registered for Multi-Factor 
Authentication 
152 
of211 
of ',nzur organization isn't 
registered. 
See who's not registered. 
Last refreshed: 1/22/2021, AM O 
Registrations by authentication method 
Users registered for self-service 
password reset 
167 
of211 
of ',nzur organization isn't 
registered. 
See who's not registered. 
Users enabled for self-service 
password reset 
211 
of211 
All users are ensiled! 
Users who can reset their own 
passwords 
167 
of211 
of ',nzur organization can't 
reset their own æsswords. 
See cer,'t reset their own 
pass no rd. 
oof. 
Date 
Last 30 days 
Last 30 days 
9 
18 If
Reporting on registration and usage

On the Registration page you can see some figures about:

  • Users registered for Multi-factor authentication
  • Users registered for SSPR
  • Users enabled for SSPR
  • Users who can reset their own password

The page also provides some hyperlinks to more concrete information, like who the users are not registered for MFA. From that page you can also download the list of users.

On the Usage page you can see a report on the usage of SSPR within your organization. You can specify a maximum timeframe of 30 days, and the report will show you the authentication methods used. Also here you can use a hyperlink to end up on a page with more concrete information.

Setup SSPR as an end user

When an end user who has no authentication methods defined, or hasn’t registered for SSPR yet logs on, he/she will be provided with a “More information required” notice. When the user clicks Next they are redirected to the Security info registration page, where they can either provide or validate their authentication methods.

How can user change its password?

The user can change its password in several ways. The methods are:

Forgot my password on the sign-in page

If a user signs-in to Azure AD, the user can use the “Forgot my password” link on the Enter password page when signing in to the web.

What about Admins?

Admin accounts are enabled for SSPR by default, also they have to use 2 authentication methods to be able to reset their password. So, the policy for administrators can be different from the one defined for your end users. Administrators cannot use the security questions as an authentication factor.

The policy applies when 30 days have elapsed in a trial subscription, a custom domain has been configured for the Azure AD tenant and when Azure AD connect is in use to sync identities from on on-premises Active Directory.

The following administrative roles are considered admin accounts:

  • Helpdesk administrator
  • Service support administrator
  • Billing administrator
  • Partner Tier1 Support
  • Partner Tier2 Support
  • Exchange administrator
  • Skype for Business administrator
  • User administrator
  • Directory writers
  • Global administrator or company administrator
  • SharePoint administrator
  • Compliance administrator
  • Application administrator
  • Security administrator
  • Privileged role administrator
  • Intune administrator
  • Application proxy service administrator
  • Dynamics 365 administrator
  • Power BI service administrator
  • Authentication administrator
  • Privileged Authentication administrator

You can disable the use of SSPR for administrator accounts using the Set-MsolCompanySettings PowerShell cmdlet. The -SelfServePasswordResetEnabled $False parameter disables SSPR for administrators.

If an admin resets its password, other admins will be notified as well.

Microsoft on behalf of Contoso <msonlineservicesteam@microsofto 
nline.com> 
Fri 1/22/2021 8:09 PM 
To: Allan Deyoung 
Cc: Isaiah Langer, Lidia Holloway; MOD Administrator: Nestor Wilke; provisioninguser4@M365x102715.OnMicrosoft.com others 
Password reset notification 
The password on the following account in your organization has recently been reset. 
MeganB@M365x102715.OnMicrosoft.com 
• First Name: Megan 
Last Name: Bowen 
If you believe that this account's password has been reset by a malicious user, please 
consider resetting this account's password manually or enabling multi-factor 
authentication in order to protect from further attacks. 
Sincerely, 
Contoso 
Reply 
Reply all 
This do rot to this 
Forward
Notification of admin password reset, other admins are notified too..

Clicking on the reset password link on the Windows 10 login screen

You can enable a “Reset password” link at the password login screen of a Windows 10 device. Microsoft explains how to enable this functionality via a custom OMA-URI configuration policy setting the ./Vendor/MSFT/Policy/Config/Authentication/AllowAadPasswordReset with a value of 1. More about setting up this functionality in this article: Enable Azure Active Directory self-service password reset at the Windows sign-in screen

Conclusion

Enabling Self Service Password Reset (SSPR) is a welcome addition for your Microsoft Modern Workplace. It’s easy to setup, customizable to your needs and even not too complex to setup if you synchronize your identities using Azure AD Connect. My suggestion would be to enable this in your tenant and explain your users how to leverage its functionality.

For the rollout, Microsoft provides all kind of material which can help you bring the message to your end users, you can find that here: Self-service password reset rollout materials

The post Enabling Self Service Password Reset (SSPR) for your Modern Workplace users first appeared on Modern Workplace Blog.

Previous articleWorking with Microsoft.CostManagement queries (2/2): Partner Earned Credits
Next articleAnnouncing #WPNinjasNL Tuesdays Webinar #2, Tuesday February 2nd featuring Kenny Buntinx & Merlijn Van Waeyenberghe
avatar
I started my career in 1995 as a System Engineer in the broadcast industry, building and maintaining video editing suites and television studio's and later specializing in Telecine equipment. In 1998 I switched to a first line support function within the Information Technlogy on the dealing room of a large bank, working my way up to a 3rd line support engineer. From this position i started to work on projects, which eventually resulted in projects where I worked across the border. In this period I implemented and designed several deployment solutions for mass rollout of workstations, laptops and servers. Since 2009 I switched to a consultancy function mainly focusing on but not limited to System Center design and implementation projects, besides that I became a Microsoft Certified Trainer (MCT) and currently teach System Center Related Classes (SCCM, SCOM and SCSM). In Januari 2010 I received the Microsoft MVP award with the expertise Setup & Deployment which was extended in 2011 and 2012. In 2013 and 2014 I was awarded the VMware vExpert award. In october 2014 I received the Microsoft MVP award with the expertise System Center Cloud and Datacenter Management (SCCDM).

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.