Self Service Password Reset (SSPR) in Microsoft Entra ID is one of those features that often goes unnoticed until it is urgently needed. It gives end users the ability to securely reset or unlock their account without calling the helpdesk, while administrators benefit from reduced support costs and improved security posture. Ideally users will have to use MFA to perform SSPR. This means that lame security questions that can be guessed are avoided. If users do SSPR themselves in most cases, the requests that do go to help desk should be scrutined. Is that the real person making the request via the helpdesk using social engineering?
In this post I will walk through the current SSPR experience in Entra ID, not just as a how to but also as a snapshot in time. Microsoft continues to evolve and rebrand its identity platform, so I am capturing screenshots and details here as a reference point. That way, even if the interface changes in the future, you will have a record of how things looked and worked today.
Update - Changed Azure AD to Entra ID since the branding changed in 2023.
SSPR Process
The user can go to https://aka.ms/SSPR or visit https://passwordreset.microsoftonline.com.
First up we need to state who we are, and complete a CAPTCHA.
Then complete the verification that was configured by the tenant administrator.
This could be a SMS text, Authenticator App etc.
The type and how many are required are set by the administrator.
In this case we get a text, and enter the code that was received on the phone.
It could have been a phone call, that's shown below just for completeness.
Since the Authenticator App was registered for this user, that could also have been used.
Once the SMS challenge was completed, a second verification is needed.
This will be the Authenticator app since we already did the phone thing.
Once the second verification step was sucessfully passed, we can finally reset the password.
Bootnotes
Note if you are resetting an on-premises account, Password Writeback must be enabled on Connect. The password that you enter must also pass the on-premises AD DS password policies along with also being accepted by other security controls on the domain controllers. One example would be Entra ID Password Protection.
Cheers,
Rhoderick
