SSPR: Enable Azure Active Directory Self-Service Password Reset. Firstly, Self Service Password Reset (SSPR) is a feature of Azure Active Directory that allows you to reset your password in the event of a forgotten password or account lockout. Without the need of calling the IT staff.
Shall we start the article SSPR: Enable Azure Active Directory Self-Service Password Reset.
Well, with the password management activity reports, the account administrators gain insights into the activities related to password reset and registration.
Primarily, Azure AD is licensed per user according to which every user is required to have an appropriate license to be able to use all the Azure AD features.
In a 2022 study, it was noticed that about 80% of the data breach instances happen as a result of some password related issue.
That is where SSPR comes into a picture.
Some of the best user practices of the SSPR in Azure AD are:
- Deploying SSPR along with some other popular apps and services sometimes leads to a large number of sign ins resulting in increased registrations.
- Determining the support call costs before SSPR deployment, and calculating the cost cutdown post deployment to establish the value of SSPR.
The password reset procedure helps organizations save on support costs and maintain productivity standards. It carries the following capabilities:
- Through self service, you reset your passwords (expired and nonexpired) from time to time without requiring support from the helpdesk or administrators.
- In case you have on premise passwords or want the account lockout resolution through the cloud, the Password Writeback feature allows its effortless management.
What Are The Prerequisites Of SSPR?
Before using Self Service Password Request in Azure Active Directory, the following are the prerequisites:
- You must have a functional Azure AD tenant with an Azure AD free trial or an enabled trial license or one of the premium plans.
- If you have the free trial plan, then the self service password requests only work, if you are a cloud user in AD. Also, it should be noted that the free tier plan supports password change but not password reset.
- In case you require on premise password writeback, you need the premium plan of Azure Active Directory.
- Self service password reset is by default enabled for admins in Azure AD.
- You are required to have an account with Global Administrator privileges to be able to enable SSPR.
- Once the password has been reset, it can be tested only by a non-administrator user account.
- By using the Azure Portal, only one Azure AD group to be enabled for self service password request(s).
Try InfraSOS Active Directory & Azure AD Reporting Tools
Try us out for Free, Access to all features. – 200+ AD Report templates Available. Easily customise your own AD reports.
How Does A Password Reset Functionality Work?
Accordingly to HYPR study, it suggests that about 78% of users have to reset their passwords due to forgetting the old password.
Typically, in case of a forgotten password or account lockout, the user launches a self service authentication form to the login prompt of their workstation.
The user has to authenticate their identity using either of these options:
- By answering a series of personal questions.
- Using a hardware authentication code or token.
- Through response to a notification on email.
- In some cases, by biometric samples like voice recognition, retina scanning, etc. (depending upon the authentication factor provided or chosen earlier).
When a user accesses the SSPR portal in the Azure platform, it takes the following factors into account:
- Ways to localize the page.
- Checking the validity of the user account.
- The user’s organization.
- Where the user passwords are being managed.
Then, once the user identity is re-established using one of the above methods, you change the password, retain the forgotten password or seek a randomly generated password.
The system of self service password reset option serves to:
- Reduce the help desk call volume.
- Ensures, that the password reset is allowed only after the required number of authentication steps have been successfully crossed.
- Protect the accounts from instances of social engineering attacks — when a caller pretends to be the user/intended victim user, and seeks a new password on the pretext of having forgotten the old password.
Key Benefits Of Deploying SSPR In The Azure Active Directory
- Cost management — By enabling SSPR, the IT department costs reduce considerably.
- Intuitive user experience — With an intuitive one time user registration process, the users manages the password reset process or block or unblock accounts from anywhere. Afterwards, this helps in maintaining productivity and an unhindered work pace for the user.
- Secure and Flexible — With SSPR, enterprises or bigger firms access the security and flexibility of a cloud platform. Then, it allows the administrators to implement any updated security changes to the user accounts without affecting their sign in process.
- Efficient Usage Tracking and Auditing — Audit logs observe and save every step of the password reset process. Available via API, these logs allow the users to import the data into their choice of Security Incident And Event Monitoring system. Albeit, the entire system ensures the safety and security of the user accounts.
We have arrived to the main part of article SSPR: Enable Azure Active Directory Self-Service Password Reset.
Enable Azure Active Directory Self-Service Password Reset
Basically, Self Service Password Reset is enabled in the Azure Active Directory using the following steps:
- Using your Global Administrator Account, log in to your Azure account.
- Type ‘Azure Active Directory’ in the search bar, and select ‘Azure Active Directory’.
- Click on ‘Password reset’ and then go to ‘Properties’.
- To save the self service password reset and account unlock of the selected users, click on ‘Save’.
Remember, the above process must be secured through user authentication methods. Configure these methods by following these steps:
- Click on the tab of ‘Authentication Methods’. Concurrently, it asks ‘Number of methods required for reset’. Then, toggle the number to whatever you find appropriate as per your organizational strength.
- Select ‘Methods Available To Users’. Choose the methods.
- Click on ‘Save’.
End User Experience When SSPR Login Is Enabled For A User
When the SSPR is enabled for a user account, the user is required to go to either Outlook on the web or to the Office 365 portal or an Office 365 service login.
This is what the user experiences upon logging in for the first time after SSPR has been enabled for their account:
- Log in with your existing username and password.
- A prompt appears that says ‘Your organization needs more information to keep your account secure’. Click on ‘Next’. (Note: This prompt appears only if the user is logging in for the first time after SSPR enablement.)
- Set up your ‘Authentication Phone’ and ‘Authentication Email’ which is required in the future during password reset.
- There is a ‘Set it up now’ prompt against each authentication method. Click on it.
- Click on ‘Finish’ once the authentication method is complete.
How To Test Self-Service Password Reset?
Consequently, once the SSPR is enabled, it is tested as follows:
- In the browser, visit https://aka.ms/ssprsetup.
- After entering your credentials, click Next.
- Follow the verification steps required for a password reset. After, you receive an email notifying you about the password reset.
Thank you for reading SSPR: Enable Azure Active Directory Self-Service Password Reset. We shall conclude the article.
SSPR: Enable Azure Active Directory Self-Service Password Reset Conclusion
Finally, password issues that lead to account lockouts in organizations affect the workflow and overall output of your organization.
As per Dashlane, about 18% of people reset their work password an average of five or more times.
Evidently, Azure AD makes it convenient and time saving for users to reset their account passwords via SSPR without going through the hassles of repeated calls to the support or admins. Further, it is only after an adequate level of user authentication that the Azure AD allows you to reset your password. Lastly, this ensures account security and safety from phishing or password attacks.
Try InfraSOS for FREE
Invite your team and explore InfraSOS features for free
- Free 15-Days Trial
- Easy Setup
- Full Access to Enterprise Plan
