Enable Self-Service Password Reset to Reduce Help Desk Calls

Every time a user wants to reset their password, they must send a password reset request to the company’s help desk. Since this is a time-consuming and inefficient approach, it is inconvenient for the users and support team to continue with the process. Now, it’s time to allow users to opt for self-service password resets in Office 365.

Self-Service password resets allow end users to set up their authentication methods when they want to reset their passwords. By doing so, users don’t need to approach the help desk thereby reducing the password change request traffic in Microsoft 365. However, admins are always enabled with Self-service password resets by default and they can use any two authentication methods. This blog will show you how to enable, configure, and test Microsoft’s Entra ID Self-Service Password Reset (SSPR) service.

Before diving deep into the topic, you must know the prerequisites to configure a self-service password reset in your organization.

• Basic SSPR features are available in Microsoft 365 Business Standard or higher and all Microsoft Entra ID P1 or P2 SKUs at no cost.
• A global administrator account to enable SSPR.
• A non-administrator to test SSPR.

Note – Let’s understand the difference between password change and password reset.

Password Change – When you remember the old password and want to change it.
Password Reset – When you forget the old password and use the other verification methods to confirm your identity and change the password.

Let’s take a look at how to configure the self-service password reset for Microsoft 365 users in Entra ID.

• Enable self-service password reset for Microsoft 365 users
• Set up authentication methods for the users and do registration
• Set up notifications and customizations

Note: Microsoft offers several built-in password configurations to enhance password security and minimize the attack surface. Adopt these settings to safeguard your organization’s data from potential threats.

Perform the following steps to set up SSPR for the users in your organization.

Configure Self-Service Password Reset Via Entra ID:

• Sign in to Entra ID portal with a global admin account.
• Navigate to Entra ID –> Password Reset –> Properties.
• Enable SSPR for ‘Selected/All’ groups based on your needs. You can enable self-service password reset only for specific groups in the Entra ID portal.

Configure Self-Service Password Reset Via Microsoft Admin Center:

• Sign in to Microsoft 365 admin center with a global admin account.
• Choose ‘Setup’ from the left pane and select ‘Let users reset their own passwords’ under Sign-in and security.
• If you have not configured it yet, click on ‘Get started’. Soon you will be redirected to the Entra portal. Follow the steps provided for enabling SSPR via Entra ID.

Self-Service Password Reset Authentication Methods:

When users attempt to reset their password, Microsoft will require them to prove their identity using other verification methods. Let’s see how to configure SSPR authentication methods in Entra ID.

• Select ‘Authentication methods’ under password reset.
• Choose the Number of methods required to reset the password.
• Choose any of the authentication Methods available to users such as email, MS authenticator app, etc.
• Choose how many security questions users must answer during Password setup and reset.
• Click Save after selecting the security questions.

Self-Service Password Reset Registration:

Under Registration, admins can specify whether users must register their authentication methods or not. It is up to the admins to specify the authentication methods users may use to register.

• Select ‘Yes’ if registration is required. Unregistered users get prompted to register their authentication information during their first sign-in.
• If the registration is set to ‘No’, admins have to manually instruct the users to register authentication information directly from the registration portal URL.
• Set the number of days (which must be between 0 and 730) before users are asked to re-confirm their authentication information.
• Click Save.

Enable Password Reset Notifications:

You can configure settings to notify any users and all the admins whenever a password reset event occurs. Enabling a self-service password reset policy for users in Entra ID can be checked from the notification icon where you will get notified as ‘Password rest policy saved’.

• Click on ‘Notifications’ from the left pane in Password reset page.
• You can check-in the box to notify users on password resets and all the admins based on your needs.
• Click Save.

Customize Helpdesk Contact Information:

Instead of contacting the service admin, you can add a custom email address that users can use to contact any of the admins, which will guide them through this process.

• Navigate to ‘Password Reset’ –> Customization.
• Check-in the box to Customize helpdesk link.
• Under Customize Helpdesk Link, add a valid link or URL to which users can email their issues. For example, jack@contoso.com.
• Click Save.

When a user accesses the SSPR portal, they enter their user ID and complete a captcha. Microsoft Entra ID then performs several essential checks to ensure secure password reset:

• Verifies that SSPR is enabled for the user. If not, the user is advised to contact their admin to reset the password manually.

• Entra checks that the user has enrolled the required number of authentication methods based on your policy:

  • If only one method is required, the user must have at least one valid method.
  • If two methods are required, the user needs two configured.
    If the user hasn’t configured enough methods, they’re prompted to contact their admin for password reset.
• Users assigned an Azure administrator role must meet the “strong two-gate password” policy.

Once all eligibility and configuration checks are passed, the user is guided through the usual reset/change workflow.

What Causes “Insufficient Authentication Methods” Errors During Password Reset?

The SSPR process will fail in two cases:

• No authentication methods have been registered.
• The user registered a method that isn’t allowed by policy. For example, if the policy requires the Microsoft Authenticator app but the user registers only a phone number, the method will be treated as insufficient.

Error message in this case would look like: User’s account has insufficient authentication methods defined. Add authentication info to resolve this.

This message doesn’t just mean the user hasn’t registered enough methods, it can also mean the wrong type of method was used. To avoid such issues, ensure users register their methods during first login or through the registration portal, and that they select options allowed by your SSPR policy.

Once you have set up SSPR, you can test the SSPR with a non-administrator account that is enabled with SSPR. Perform the following steps to test SSPR with a user account.

• To complete the registration process, go to the link https://aka.ms/ssprsetup.
• Log in with a user account for which SSPR is specified, and specify your contact information, such as the phone number or email address.
• Once this is done, open https://aka.ms/sspr.
• Enter your account information, given captcha, and then select Next.
• You will now be prompted to verify your email or phone number or whatever authentication method you have specified.
• After the verification, you will be prompted to reset your password. Specify the new password to reset the old password.

Thus, Self-Service Password Reset is an extremely useful feature that allows users to reset their passwords on their own without contacting the help desk. SSPR is simple to set up and implement, which makes it a go-to feature for IT admins to increase productivity. Moreover, the organization can prevent password-related issues by allowing users to change their passwords thereby reducing the service support calls. To be precise, enabling self-service password reset is a powerful enhancement to your workplace! Furthermore, admins can export SSPR status using PowerShell.

If you’re not satisfied with setting self-service password resets for the user, you can still rely on help desk services with the security in place. In this case, you should remind users to change their passwords before they expire to prevent any service disruptions. Additionally, you can use the Face Check feature in Entra ID to ask users to share their real-time image, which can be compared with their verified ID for high-assurance verification. Take a wise decision that satisfy your needs!