How to enable and configure SSPR in Entra ID
How to Enable Azure Active Directory Self-Service Password Reset
Introduction to Self-Service Password Reset
- Sagar Gohil introduces himself as an engineer with the Azure Identity chat team, explaining the purpose of the session: demonstrating how IT admins can enable and configure self-service password reset (SSPR) in Azure Active Directory.
- The feature allows users to reset their passwords if forgotten, applicable for cloud-only users on the free tier; however, synchronized accounts require Azure AD Premium P1 or P2 licenses.
Enabling Self-Service Password Reset
- Admins can navigate to Azure Active Directory in the Azure Portal to enable SSPR. They have options to select individual groups or apply it universally for all users.
- Under authentication methods, admins can choose one or two methods (e.g., email and mobile phone) that will be available for end-users during password resets.
- Notifications can be configured for both users and admins regarding account password resets. Admin notifications are set to "yes" by default.
Managing Password Writeback Feature
- The portal allows control over the password writeback feature, which is essential if deployed via Azure AD Connect. If disabled, federated or synchronized users cannot reset their passwords even if writeback is configured.
User Experience During Registration
- After enabling SSPR, first-time logon prompts users to complete registration by providing information based on admin-selected methods.
- Users must enter either a phone number or email address corresponding with admin settings; they receive a verification code through their chosen method.
Process of Resetting Password
- To reset a password, users click "can't access your account," select account type (work/school vs personal), and provide user ID along with captcha verification.
- Following this, they receive a verification code via email (if registered with email), enter it along with a new password before completing the process.