Reduce Help Desk Calls by Enabling Self-Service Password Reset

Every time a user wants to reset their password, they must send a password reset request to the company’s help desk. Since this is a time-consuming and inefficient approach, it is inconvenient for the users and support team to continue with the process. Now, it’s time to allow users to opt for self-service password resets in Office 365.

Self-Service password resets allow end users to set up their authentication methods when they want to reset their passwords. By doing so, users don’t need to approach the help desk thereby reducing the password change request traffic in Microsoft 365. However, admins are always enabled with Self-service password resets by default and they can use any two authentication methods. This blog will show you how to enable, configure, and test Microsoft’s Azure AD Self-Service Password Reset (SSPR) service.

Before diving deep into the topic, you must know the prerequisites to configure a self-service password reset in your organization.

• An active tenant with an Azure AD free or trial license is required. In the Azure AD free license, self-service password reset works only for cloud users. However, only the password change is supported, not the password reset.
• A global administrator account to enable SSPR.
• A non-administrator to test SSPR.

Note – Let’s understand the difference between password change and password reset.

Password Change – When you remember the old password and want to change it.
Password Reset – When you forget the old password and use the other verification methods to confirm your identity and change the password.

Let’s take a look at how to configure the self-service password reset for Office 365 users using Azure AD.

• Enable Office 365 Self-Service Password Reset (SSPR) for Office 365 users.
• Set up authentication methods for the users and do registration.
• Set up Notifications and Customizations.
• Test Self-Service Password Reset with the user account.

Perform the following steps to set up SSPR for the users in your organization.

Via Azure AD:

• Sign in to Azure AD portal with a global admin account.
• Navigate to Azure Active Directory –> Password Reset –> Properties.
• Enable SSPR for ‘Selected/All’ groups based on your needs. You can enable self-service password reset only for one Azure AD group in the Azure portal.

Via Admin Center:

• Sign in to Office 365 admin center with a global admin account.
• Choose ‘Setup’ from the left pane and select ‘Let users reset their own passwords’ under Sign-in and security.
• If you have not configured it yet, click on ‘Get started’. Soon you will be redirected to the Azure portal. Follow the steps provided for enabling SSPR via Azure AD.

Self-Service Password Reset Authentication Methods:

When users attempt to reset their password, Microsoft will require them to prove their identity using other verification methods. Let’s see how to configure SSPR authentication methods.

• Select ‘Authentication Methods’ under password reset.
• Choose the number of methods required to reset the password.
• Choose any of the given authentication methods such as email, MS authenticator app, etc.

Self-Service Password Reset Registration:

Under Registration, admins can specify whether users must register their authentication methods or not. It is up to the admins to specify the authentication methods users may use to register.

• Select ‘Yes’ if registration is required. Unregistered users get prompted to register their authentication information during their first sign-in.
• If the registration is set to ‘No’, admins have to manually instruct the users to register authentication information directly from the registration portal URL.
• Set the number of days (which must be between 0 and 730) before users are asked to re-confirm their authentication information.
• Users can also view their registered authentication methods under ‘Security info’ which can be modified or deleted as per their needs.

Notification:

• You can configure settings to notify any users and all the admins whenever a password reset event occurs. Enabling a self-service password reset policy for users in Azure AD can be checked from the notification icon where you will get notified as ‘Password rest policy saved’.
• Click on ‘Notifications’ from the left pane.
• You can choose ‘Yes’ or ‘No’ to notify any users and all the admins based on your needs.

Customization:

Instead of contacting the service admin, you can add a custom email address that users can use to contact any of the admins, which will guide them through this process.

• Navigate to ‘Password Reset’ –> Customization
• Under Customize Helpdesk Link, select Yes and add a valid link or URL to which users can email their issues. For example, jack@contoso.com.

Once you have set up SSPR, you can test the SSPR with a non-administrator account that is enabled with SSPR. Perform the following steps to test SSPR with a user account.

• To complete the registration process, go to the link https://aka.ms/ssprsetup.
• Log in with a user account for which SSPR is specified, and specify your contact information, such as the phone number or email address.
• Once this is done, open https://aka.ms/sspr.
• Enter your account information, given captcha, and then select Next.
• You will now be prompted to verify your email or phone number or whatever authentication method you have specified.
• After the verification, you will be prompted to reset your password. Specify the new password to reset the old password.

Thus, Self-Service Password Reset is an extremely useful feature that allows users to reset their passwords on their own without contacting the help desk. SSPR is simple to set up and implement, which makes it a go-to feature for IT admins to increase productivity. Moreover, the organization can prevent password-related issues by allowing users to change their passwords thereby reducing the service support calls. To be precise, enabling self-service password reset is a powerful enhancement to your workplace! Furthermore, admins can export SSPR status using PowerShell.

If you’re not satisfied with setting self-service password resets for the user, you can still rely on help desk services with the security in place. Yes, you can use the Face Check feature in Entra ID to ask users to share their real-time image, which can be compared with their verified ID for high-assurance verification. Take a wise decision that satisfy your needs!