Configuring self-service password reset– Planning and Implementing Authentication
Enabling SSPR is a straightforward task. Like many other features in Azure AD, it can be scoped to a group of users.
To enable SSPR, follow these steps:
- Navigate to the Azure portal (https://portal.azure.com) and select Azure Active Directory.
- Under Manage, select Password reset.
- On the Properties page, click Selected if you want to be able to select one or more groups to enable SSPR. Click All if you want to enable all users for SSPR.
Figure 7.25 – Enabling SSPR
- Click Save.
Now that password reset has been enabled, you can manage and configure the features.
Managing self-service password reset
SSPR has a number of configuration options, including Authentication methods, Registration settings, Notifications options, portal Customization options, and On-premises integration. Each of those options can be configured on the Password reset configuration blade of the Azure portal.
Authentication methods
Authentication methods are used to define how a user proves their identity, such as MFA or answering security questions. The Authentication methods page lets you select which options a user can register, as well as the number of methods needed to perform a reset.
Figure 7.26 – Authentication methods
If you choose security questions, additional options are configurable, including the number of questions a user must supply when they select that option and the number of those security questions they must answer to prove their identity. You can choose up to 20 security questions from a list of pre-defined options or create your own security questions. Administrators are unable to pre-populate or retrieve answers to end user security questions; users must select their own questions.
EXAM TIP
Using the Office phone registration option requires an Azure AD Premium license (either P1 or P2) and can be pre-populated with a phone number in AD under the telephoneNumber attribute (if using Azure AD Connect to synchronize data). Other fields that can be pre-populated for SSPR include a user’s alternate email address and mobile phone number. An alternate email does not synchronize from the on-premises AD and must be set using Set-AzureADUser -OtherMails, Set-MsolUser -AlternateEmailAddresses, or Set-MgUser -OtherMails.
Registration
The options on this page allow you to configure a workflow to force users to register for SSPR the first time they log in to the Microsoft 365 portal, as well as the interval in days in which users are asked to re-confirm their details.
Notifications
The Notifications page allows you to configure options for alerting on password changes. You can select Notify users on password resets, which sends users an email when their own password is reset via SSPR. The Notify all admins when other admins reset their password setting determines whether all Global Administrators receive a notification when any Global Administrator resets their password via SSPR.
Customization
The Customization page allows you to display a custom URL or email address for support-related requests.
On-premises integration
If you have configured Azure AD Connect or Azure AD Connect cloud sync with your organization, you can manage SSPR integration features, as shown in Figure 7.27:
Figure 7.27 – On-premises integration
It’s important to note that the Enable password write back for synced users option only modifies the behavior of Azure AD sending password reset data back to the on-premises environment, effectively stopping on-premises integration. It does not modify the on-premises Azure AD Connect configuration.
Next, we’ll look at the features of Azure AD password protection.