0

SSPR Screenshots – December 2022

Self Service Password Reset (SSPR) in Microsoft Entra ID is one of those features that often goes unnoticed until it is urgently needed. It gives end users the ability to securely reset or unlock their account without calling the helpdesk, while administrators benefit from reduced support costs and improved security posture. Ideally users will have to use MFA to perform SSPR.  This means that lame security questions that can be guessed are avoided.  If users do SSPR themselves in most cases, the requests that do go to help desk should be scrutined.  Is that the real person making the request via the helpdesk using social engineering?

In this post I will walk through the current SSPR experience in Entra ID, not just as a how to but also as a snapshot in time. Microsoft continues to evolve and rebrand its identity platform, so I am capturing screenshots and details here as a reference point. That way, even if the interface changes in the future, you will have a record of how things looked and worked today.

Update - Changed Azure AD to Entra ID since the branding changed in 2023.

SSPR Process

The user can go to https://aka.ms/SSPR or visit https://passwordreset.microsoftonline.com.

First up we need to state who we are, and complete a CAPTCHA.

Entra ID SSPR - Landing Page

Then complete the verification that was configured by the tenant administrator.

Entra ID SSPR - Verification Step 1

This could be a SMS text, Authenticator App etc.

The type and how many are required are set by the administrator.

In this case we get a text, and enter the code that was received on the phone.

Entra ID SSPR - Verification Step 1 - SMS

It could have been a phone call, that's shown below just for completeness.

Entra ID SSPR - Verification Step 1 - Phone Call

Since the Authenticator App was registered for this user, that could also have been used.

Entra ID SSPR - Verification Step 1 - Authenticator

Once the SMS challenge was completed, a second verification is needed.

This will be the Authenticator app since we already did the phone thing.

Entra ID SSPR - Verification Step 2 - Authenticator

Once the second verification step was sucessfully passed, we can finally reset the password.

Entra ID SSPR - Verification Comple - Choose A New Password

 

 

Bootnotes

Note if you are resetting an on-premises account, Password Writeback must be enabled on Connect.  The password that you enter must also pass the on-premises AD DS password policies along with also being accepted by other security controls on the domain controllers.  One example would be Entra ID Password Protection.

Cheers,
Rhoderick

Rhoderick Milne [MSFT]

Leave a Reply

Your email address will not be published. Required fields are marked *