Implement Self-service password reset in Microsoft 365

Self-service password reset (SSPR) is a possibility you're used to with other websites you log on to. For example, Gmail has a self-service password reset. In short, self-service password reset means a user that forgot their password can reset it without contacting an administrator. The user can authorize themselves in another fashion whether it's a text message using the Microsoft authenticator app or a phone call.

While self-service password reset doesn't enhance the security of your Microsoft 365 tenant it does reduce the call volume to your help desk.

If you’re synchronizing your on-premises AD to Office 365 setting up self-service password reset, it isn't as easy as flipping a switch. The good thing about synchronizing your on-premises AD to Office 365 and configuring self-service password reset is users can reset their on-premises AD password using the Microsoft 365 self-service portal. When configuring SSPR while you have AD connect configured Microsoft calls it password writeback. 

As I said earlier, configuring SSPR when synchronizing your user accounts from your on-premises AD isn't as easy as flipping a switch. First will need to configure the on-premises AD to allow Office 365 to reset the passwords. Then we all need to configure AD connect to allow users to reset their passwords. Finally, we’ll need to configure Microsoft 365 to allow users to reset their passwords.

License Requirements

If you're configured with a Microsoft 365 cloud-only account, which means you're not using AD Connect to synchronize your on-premises AD to Office 365 then the self-service password reset it's free. If you are synchronizing your on-premises AD to Office 365 then you'll need an Azure AD Premium P1 license. Azure AD P1 licenses or included In Microsoft 365 business premium licensing. 

Configuring on-premises AD to prepare for SSPR

First, will need to give the AD connect account permission to reset users’ passwords. 

1. Log onto the server that has AD Connect installed.

2. Open Azure AD Connect. Click Configure. Click View or export current configuration. Click Next.

View current AD connect settings

3. Take note of the account listed under Synchronized Directories > Account.

MSOL Account

4. Exit the AD Connect wizard.

5. Login onto a server that has Active Directory Users & Computers.

6. Open Active Directory Users and Computers. Click View > Advanced Features
(if there is a checkbox next to Advanced Features then don’t click it.)

Enable Advanced features

7. Right-click the root domain > Properties.

Open AD properties

8. Click the Security tab > Advanced.

Open advanced properties

9. Click Add.

Add permissions in AD

10. Click Select a principal > enter the name of the account you found in step 3 above. Click OK.

Select a principal

11. Click the Applies to drop-down and select Descendant User Objects.

Select Descendant User Objects

12. Click Reset password (located under Permissions).

Reset password permissions

13. Find and check Write lockoutTime.

Write lockoutTime

14. Find and check Write pwdLastSet.

Write pwdLastSet

15. Click OK.

16. Click Add again.

Add permissions in AD

17. Click Select a principal > enter the name of the account you found in step 3 above. Click OK.

Select a principal

18. Click Unexpire password. Click OK until you’ve closed all the windows.

Unexpire password

Configure password writeback in AD Connect

Next, we’ll need to enable password write-back in AD Connect.

1. Logon to the AD Connect server.

2. Double click Azure AD Connect.

3. Click Configure.

4. Click Customize synchronization options. Click Next.

Customize synchronization options

5. Enter your Microsoft 365 global admin credentials. Click Next. If required, re-enter your credentials in the space provided.

AD Connect enter your global admin credentials

6. On the Connect your directories page, click Next.

7. On the Domain and OU filtering page, click Next.

8. On the Optional features page, click Password writeback. Click Next.

Enable password write-back in AD Connect

9. On the Ready to configure page, click Configure.

10. Wait until the configuration is complete. Then click Exit.

Enable SSPR in Microsoft 365

Lastly, we need to enable self-service password reset in Microsoft 365.

1. Open Azure Active Directory admin center and login with a global admin account > Azure Active Directory > Password Reset.

Password reset options in Microsoft 365

2. Click All to enable SSPR for everyone. Click Save.

Enable SSPR

3. Go to on-premises integration. Click Yes under Write back passwords to your on-premises directory. Click Save.

Write-back on-premises integration

Enable combined registration

Enabling combined registration will mean users will only need to register a device once for a multifactor and self-service password reset. Without enabling combined registration users will need to add their cell phone twice. This feature is already enabled in new tenants. 

1. log in to Azure Active Directory admin center with global admin credentials.

2. Go to Azure Active Directory > User Settings > Manage user feature settings.

Microsoft 365 manage user feature settings

3. Click All under Users can use the combined security information registration experience. Click Save.

Microsoft 365 enabled combined features

Set authentication methods and harden security

So now we've configured self-service password reset but how do we harden the security? There is a couple of ways. First, let's jump into the authentication methods.

1. Sign in to Azure Active Directory admin center with a global admin. Then go to Azure Active Directory > Password reset > Authentication methods.

2. If you want to require a user to have 2 methods of authentication when resetting the password click 2.

3. If you want to allow the users to provide answers to security questions or an office phone to authenticate click the checkboxes.

Microsoft 365 password reset authentication methods

4. Click Save.

End-user experience setting up their own authentication methods

Now self-service password reset is enabled for your tenant. How do users configure their own authentication methods? It’s easy.

1. Go to https://portal.office.com

2. Login with their work credentials.

3. On the More information required page click Next.

4. Enter your phone number in the space provided. Click Next.

5. Enter the code that’s texted to you. Click Next.

6. Click Next > Done.

End-user experience resetting their own passwords

In this section, I'll explain the end-user experience for resetting their own passwords. 

1. Go to https://portal.office.com 

2. Click Can’t access your account?

Can't access your account? Microsoft 365

3. Click Work or school account.

Which type of account do you need help with?

4. Enter your username in the space provided. Fill out the CAPTCHA in the space provided. Click Next.

Get back into your account

5. Enter your phone number in the space provided. Click Text.

Get back into your account text message

6. Enter the code texted to you. Click Next.

Enter the code texted to you

7. Enter your new password twice. Click Finish.

Choose a new password in SSPR for Microsoft 365

There are a few more settings that can be changed in https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/PasswordResetMenuBlade/ so be sure to take a look.