Implement Self-service password reset in Microsoft 365
Self-service password reset (SSPR) is a possibility you're used to with other websites you log on to. For example, Gmail has a self-service password reset. In short, self-service password reset means a user that forgot their password can reset it without contacting an administrator. The user can authorize themselves in another fashion whether it's a text message using the Microsoft authenticator app or a phone call.
While self-service password reset doesn't enhance the security of your Microsoft 365 tenant it does reduce the call volume to your help desk.
If you’re synchronizing your on-premises AD to Office 365 setting up a self-service password reset service isn't as easy as flipping a switch. The good thing about synchronizing your on-premises AD to Microsoft 365 and configuring a self-service password reset service is users can reset their on-premises AD password using the Microsoft 365 self-service portal. When configuring SSPR while you have AD connect configured Microsoft calls it password writeback.
As I said earlier, configuring SSPR when synchronizing your user accounts from your on-premises AD isn't as easy as flipping a switch. First will need to configure the on-premises AD to allow Office 365 to reset the passwords. Then we all need to configure AD connect to allow users to reset their passwords. Finally, we’ll need to configure Microsoft 365 to allow users to reset their passwords.
If you're configured with a Microsoft 365 cloud-only account, which means you're not using AD Connect to synchronize your on-premises AD to Office 365 then the self-service password reset it's free. If you are synchronizing your on-premises AD to Office 365 then you'll need an Azure AD Premium P1 license. Azure AD P1 licenses or included In Microsoft 365 business premium licensing.
Configuring on-premises AD to prepare for SSPR
First, will need to give the AD connect account permission to reset users’ passwords.
1. Log onto the server that has AD Connect installed.
2. Open Azure AD Connect. Click Configure. Click View or export current configuration. Click Next.
3. Take note of the account listed under Synchronized Directories > Account.
4. Exit the AD Connect wizard.
5. Login onto a server that has Active Directory Users & Computers.
6. Open Active Directory Users and Computers. Click View > Advanced Features
(if there is a checkbox next to Advanced Features then don’t click it.)
7. Right-click the root domain > Properties.
8. Click the Security tab > Advanced.
9. Click Add.
10. Click Select a principal > enter the name of the account you found in step 3 above. Click OK.
11. Click the Applies to drop-down and select Descendant User Objects.
12. Click Reset password (located under Permissions).
13. Find and check Write lockoutTime.
14. Find and check Write pwdLastSet.
15. Click OK.
16. Click Add again.
17. Click Select a principal > enter the name of the account you found in step 3 above. Click OK.
18. Click Unexpire password. Click OK until you’ve closed all the windows.
Configure password writeback in AD Connect
Next, we’ll need to enable password write-back in AD Connect.
1. Logon to the AD Connect server.
2. Double click Azure AD Connect.
3. Click Configure.
4. Click Customize synchronization options. Click Next.
5. Enter your Microsoft 365 global admin credentials. Click Next. If required, re-enter your credentials in the space provided.
6. On the Connect your directories page, click Next.
7. On the Domain and OU filtering page, click Next.
8. On the Optional features page, click Password writeback. Click Next.
9. On the Ready to configure page, click Configure.
10. Wait until the configuration is complete. Then click Exit.
Enable SSPR in Microsoft 365
Lastly, we need to enable self-service password reset in Microsoft 365.
1. Open Azure Active Directory admin center and login with a global admin account > Azure Active Directory > Password Reset.
2. Click All to enable SSPR for everyone. Click Save.
3. Go to on-premises integration. Click Yes under Write back passwords to your on-premises directory. Click Save.
Enable combined registration
Enabling combined registration will mean users will only need to register a device once for a multifactor and self-service password reset. Without enabling combined registration users will need to add their cell phone twice. This feature is already enabled for new tenants.
1. log in to Azure Active Directory admin center with global admin credentials.
2. Go to Azure Active Directory > User Settings > Manage user feature settings.
3. Click All under Users can use the combined security information registration experience. Click Save.
Set authentication methods and harden security
So now we've configured self-service password reset but how do we harden the security? There is a couple of ways. First, let's jump into the authentication methods.
1. Sign in to Azure Active Directory admin center with a global admin. Then go to Azure Active Directory > Password reset > Authentication methods.
2. If you want to require a user to have 2 methods of authentication when resetting the password click 2.
3. If you want to allow the users to provide answers to security questions or an office phone to authenticate click the checkboxes.
4. Click Save.
End-users experience setting up their own authentication methods
Now self-service password reset is enabled for your tenant. How do users configure their authentication methods? It’s easy.
1. Go to https://portal.office.com
2. Login with their work credentials.
3. On the More information required page click Next.
4. Enter your phone number in the space provided. Click Next.
5. Enter the code that’s texted to you. Click Next.
6. Click Next > Done.
End-user experience resetting their passwords
In this section, I'll explain the end-user experience of resetting their passwords.
1. Go to https://portal.office.com
2. Click Can’t access your account?
3. Click Work or school account.
4. Enter your username in the space provided. Fill out the CAPTCHA in the space provided. Click Next.
5. Enter your phone number in the space provided. Click Text.
6. Enter the code texted to you. Click Next.
7. Enter your new password twice. Click Finish.
There are a few more settings that can be changed in https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/PasswordResetMenuBlade/ so be sure to take a look.