Why users should call HelpDesk to reset OWN passwords in the Azure AD? They shouldn’t!
Users should have the possibility to reset their passwords in the AAD without any interaction from a local helpdesk.
In the Azure AD, there is a possibility to enable a function named SSPR – Self Service Password Reset. It allows users to first configure authentification methods, after that – reset the password.
There are a couple of requirements, what you need to enable to get this function working, so don’t waste your time and start configuring it!
Administrator view
The first thing which I do was creating a new AAD group and add test user to this group. Why I do that? NEVER enable function like this one globally, without previous tests.
Just don’t do this.
The second thing which I do was opening AAD Portal > Password reset and enable this function for my specific group.
The next thing which you should configure is Authentication methods. On this tab, you should configure how many methods of reset users should perform.
In my case – I selected one option and allowed users to configure multiple reset options. Also, I selected questions to register by users to perform a reset. You can enable pre-defined questions or add your own.
On the Customization you can add your link for instruction on how to use SSPR and on the Notifications tab – you can select if you want to notify users that their password was reset.
From the Administrator’s view – it will be everything.
End-User view
End-User to configure methods required to do SSPR need to visit the site https://aka.ms/ssprsetup and log in.
After successful login, the user should see that kind of message:
After going to the next step, the user should configure Microsoft Authenticator or another application for codes:
Tip: if a user will configure the Microsoft Authenticator app, there will be a possibility to use push notifications for logon.
I also registered a phone number and additional e-mail address for that user.
When users click on the recovery link during the login process, there will be a requirement to use a method to verify a user.
And… It is everything for now!