Enabling SSPR is a straightforward task. Like many other features in Azure AD, it can be scoped to a group of users.
To enable SSPR, follow these steps:
- Navigate to the Azure portal (https://portal.azure.com) and select Azure Active Directory.
- Under Manage, select Password reset.
- On the Properties page, as shown in Figure 5.21, click Selected if you want to be able to select one or more groups to enable SSPR. Click All if you want to enable all users for SSPR:
Figure 5.21 – Enabling self-service password reset
- Click Save.
Now that SSPR has been enabled, you can manage and configure the features.
Managing SSPR
The SSPR service has a number of configuration options, including Authentication methods, Registration settings, Notifications options, Customization portal, and On-premises integration.
Each of those options can be configured on the Password reset configuration blade of the Azure portal.
Authentication Methods
Authentication methods are used to define how a user proves their identity, such as multifactor authentication or answering security questions. The Authentication methods page lets you select which options a user can register, as well as the number of methods needed to perform a reset. See Figure 5.22:
Figure 5.22 – Authentication methods
If you choose Security questions, additional options are configurable:
• The number of questions a user must supply when they select that option
• The number of security questions they must answer to prove their identity
You can choose up to 20 security questions from a list of predefined options or create your own security questions. Administrators are unable to pre-populate or retrieve answers to end user security
questions; users must select their own questions.
Exam Tip
Using the Office phone registration option requires an Azure AD Premium license (either P1 or P2) and can be pre-populated with a phone number in Active Directory under the telephoneNumber attribute (if using Azure AD Connect to synchronize data). Other fields that can be pre-populated for SSPR include a user’s alternate email address and mobile phone number. Alternate email does not synchronize from the on-premises Active Directory and must be set using Set-AzureADUser -OtherMails, Set-MsolUser -AlternateEmailAddresses, or Set-MgUser -OtherMails.
Registration
Options on this page allow you to configure a workflow to force users to register for SSPR the first time they log in to the Microsoft 365 portal (or any other Azure AD-backed service), as well as the interval in days in which users are asked to reconfirm their details.
Notifications
The Notifications page allows you to configure options for alerting on password changes. You can select Notify users on password resets, which sends users an email when their own password is reset via SSPR. The Notify all admins when other admins reset their password setting determines whether all Global Administrators receive a notification when any Global Administrator resets their password via SSPR.
Note
SSPR can be disabled on a per-user basis. In addition, SSPR can be disabled for administrator accounts using the Update-MgPolicyAuthorizationPolicy cmdlet. For more information, see https://learn.microsoft.com/en-us/ powershell/module/microsoft.graph.identity.signins/update-mgpolicyauthorizationpolicy.
Customization
The Customization page allows you to display a custom URL or email address for support-related requests.