Historically in an on-premises Active Directory deployment, users need to call the Help Desk in order to reset their forgotten/lost passwords. With the ease of which MFA can be deployed in Azure AD – thereby allowing us to confirm user identities – we can make the process of resetting a lost or forgotten password much easier through Self-Service Password Reset (SSPR). This is disabled by default, but a few simple clicks will activate the feature.
NOTE: Password reset network traffic is fully encrypted in-transit – so no realistic need to worry your password being intercepted, unless you’re among the most sensitive of users (CEO of a multnational conglomerate, etc) and being targeted by the most sophisticated of cracking tools. For the average user, SSPR is 100% safe.
To enable SSPR, follow the below process:
1. Sign into portal.azure.com as an admin.
2. Select Azure Active Directory from the left-side menu, then choose Password Reset.
3. Select Properties, then go to the option Self service password reset enabled and set it to Select Group. We’ll set SSPR to apply to a group containing user accounts only – we should avoid applying the setting to non-user accounts (service accounts, etc) to decrease the exposure of those accounts. If you don’t already have a good group for this, create a new group called SSPR Group and add all normal users as members – then use this group for Password Reset.
4. Select Save, and you’re done!
Users now have the ability to reset their own Azure AD passwords and will see a Forgot Password option showing up at portal.office.com when they attempt to log in. This will send them through the process to reset their own password.