SSPR is a feature which empowers users to reset their own password without seeking the help of an IT administrator. This not only reduces the workload of your IT support team but also enhances the productivity of your users by minimizing their downtime due to forgotten passwords. Within the scope of the AZ-104 Microsoft Azure Administrator syllabus, it is highly essential to understand how to configure self-service password reset in Azure Active Directory.
Understanding Azure AD Self-Service Password Reset
Self-service password reset in Azure Active Directory is a useful tool that allows you, as an administrator, to allow users to reset their own passwords. The action is processed securely and in compliance with your organization’s policies. This function will require that users provide additional verification via one or more methods such as their phone number, email, or Microsoft Authenticator app before any password change takes place.
Before moving onto configuration, here’s an essential distinction in SSPR options: Password Reset and Password Change.
- Password Reset: This action is typically used when the user has forgotten their password or their password isn’t working. The user needs the ability to verify their identity using Azure AD, which then allows the user to select a new password.
- Password Change: This action is used when the user knows their password, but they want to change it, usually through a password settings page. A common scenario includes a user who knows their current password and wants to change it to something different.
How to Configure Self-Service Password Reset
Here are the steps you need to perform to configure SSPR in Azure AD:
- Enable Self-Service Password Reset: Sign in to the Azure portal as a global administrator, and then, in the portal’s left navigational pane, select Azure Active Directory. Under Manage, select Password reset. On the Properties page, under Self Service Password Reset, select All and then click Save.
- Configure Authentication Methods: Still on the Password reset page, select Authentication methods. Then choose the number of methods required to reset, and select the method options allowed. The options include Email, Mobile app code, Mobile app notification, And Office phone. Once finished, click Save.
- Configure Registration: Under the Password reset page, select Registration. Here, you can enforce users to reconfirm their authentication information periodically. This could be either 1, 3, 6, 12, or never (months). After that, click Save.
- Notifications and Customizations: The final steps in the configuration process involve enabling or disabling notifications to users about password changes or resets, customizing the helpdesk email or URL, and configuring on-premises integration if required.
Once you’ve completed this configuration process, notify your users to register for SSPR. They can do this by signing in to the access panel with their work or school account, selecting the profile editing icon at the top right of the portal page, and then selecting Profile. Under Manage account, users would select Additional security verification, and then Update your phone numbers used for account security. Here, they’ll be able to add or change their verification methods.
In conclusion, configuring self-service password reset in Azure Active Directory is an important feature for any Azure Administrator to provide a secure and efficient environment for all users. It involves enabling the SSPR feature, setting up authentication methods, enforcing registration policies, and customizing notifications and helpdesk info. This feature is crucial in ensuring that the service disruption from forgotten passwords is minimized, and users are empowered to manage their own accounts securely.
Practice Test
True or False: Self-service password reset allows a user to reset their own password without admin assistance.
- Answer: True
Explanation: Self-service password reset enables users to easily reset their passwords without needing admin assistance, improving productivity and reduction of help desk costs.
Which of the following is not a prerequisite for setting up a self-service password reset in Azue AD?
- a) Password Writeback option should be enabled.
- b) User account must be a member of an Azure AD group.
- c) Azure AD premium license should be available.
- d) Azure AD password protection must be disabled.
Answer: d) Azure AD password protection must be disabled.
Explanation: Azure AD password protection is not a prerequisite for setting up a self-service password reset. The other options are all required prerequisites.
True or False: To configure the self-service password reset in Azure AD, you must enable Password Writeback.
- Answer: False
Explanation: Enabling Password Writeback is optional. It allows passwords reset using Azure AD to be written back to an on-premises directory.
Which of the following options should be enabled to let Azure AD users reset their password from the Windows login screen?
- a) Allow users to unlock accounts without resetting their password.
- b) Enable Password Writeback.
- c) None.
- d) Both a and b.
Answer: b) Enable Password Writeback.
Explanation: Enabling Password Writeback option allows users to reset their password from the Windows login screen.
True or False: It is possible to disable the self-service password reset for a particular group of users.
- Answer: True
Explanation: It is possible to disable self-service password reset for a particular group of users by creating a group and blocking the self-service password reset for the group.
To fully leverage the SSPR capability, users are required to _____________.
- a) Register for SSPR.
- b) Connect with IT helpdesk.
- c) Enable Multi-Factor Authentication.
- d) None of the above.
Answer: a) Register for SSPR.
Explanation: For users to use the Self-Service Password Reset feature, they first need to register for SSPR.
True or False: Self-service password reset in Azure allows users to both reset their passwords and unlock their accounts.
- Answer: True
Explanation: Self-service password reset provides users with the ability to both reset a forgotten password and unlock a locked-out account.
Which audit log provides information about password reset activity with detail and timeline?
- a) Sign-in log
- b) Self-service password reset activity report
- c) Audit log reports
- d) Directory audit logs
Answer: b) Self-service password reset activity report
Explanation: Self-service password reset activity report provides all the detailed information about the password reset activity.
True or False: License requirement for Azure AD self-service password reset apply to both cloud-only and hybrid environments.
- Answer: True
Explanation: An available Azure AD Premium or Basic license is required for each unique user that is enabled for self-service password reset. This applies to both cloud-only and hybrid environments.
After setting up self-service password reset in Azure AD, you must _____________.
- a) Restart the Azure service
- b) Set up replication
- c) Perform registration for users
- d) Disable the old password reset option.
Answer: c) Perform registration for users
Explanation: After self-service password reset is enabled, users would need to register their authentication data or you need to do it using the administrator control. This is necessary for users to actually be able to use the self-service password reset feature.
Interview Questions
What is Azure AD self-service password reset (SSPR)?
Azure AD self-service password reset (SSPR) is a feature that enables users to reset their passwords or unlock their accounts without administrator intervention.
Which authentication methods can be used with Azure AD self-service password reset?
You can use the following authentication methods with Azure AD self-service password reset: Email, Mobile app notification, Mobile app code, Office phone, Mobile phone, and Security questions.
What types of licenses are needed for Azure AD self-service password reset?
Any of the following licenses are needed: Azure AD Free, Office 365, or Azure AD Premium (P1 or P2).
Which users won’t be prompted for additional authentication information when they try to change their password using Azure AD SSPR?
Users who are registered for Azure AD Multi-Factor Authentication won’t be prompted for additional authentication information.
How can an admin enable or disable self-service password reset (SSPR) for a specific user in Azure AD?
An admin cannot enable or disable SSPR for a specific user in Azure AD. SSPR is configured at the tenant level, not the user level.
What is the SSPR registration policy?
The SSPR registration policy determines whether users are required to register when signing in, or may register at a later time.
Can administrators apply SSPR only to a few users in their organization?
No, SSPR is applied at the tenant level and affects all users in the organization. However, administrators can define a custom banned password list that applies to a subset of users.
Is there any notification or alert when a user uses the SSPR service?
Yes, administrators can set up an alert to be notified when a user performs a password reset or account unlock.
Can a user change their password on a device that is not joined to Azure AD?
Yes, a user can change their password on a device that is not joined to Azure AD. The user doesn’t need to be signed into their device to use the SSPR portal.
How is an end user end up locked out of their account in the first place in Azure AD?
They are locked out of their accounts after multiple consecutive failed sign-in attempts, due to the Azure AD smart lockout policy.
How can admins verify if a user can change their password using self-service password reset?
Admins can verify this by using the “What If” tool in the Azure portal. This tool can simulate password resets and account unlocks.
What happens when the SSPR service is disabled in Azure AD?
When SSPR is disabled, users are unable to change their passwords or unlock their accounts using the self-service portal. They would need to contact their administrator to reset their password or unlock their account.
Are there any reports available for tracking the use of SSPR?
Yes, Azure AD provides reports that show how many users have registered for SSPR, how many password resets have been performed, and other SSPR activity.
What is the purpose of the “Require users to register when signing in” option in SSPR configuration?
When this option is selected, users are prompted to register the next time they sign in, which helps ensure they are registered and ready to use SSPR if they forget their password or lock their account.
What security measures are in place to prevent abuse of the SSPR feature?
Azure AD SSPR employs a number of security measures such as requiring strong authentication, an audit log of password reset activities, and notifications of password resets.