How to Implement Self‐Service Password Reset (SSPR) in Microsoft Entra ID
Managing password reset requests is one of the biggest burdens on IT helpdesks. Self-Service Password Reset (SSPR) allows users to reset or unlock their own passwords securely without calling IT.
When SSPR is not enabled:
- User clicks on Forgot Password
- User is prompted with verification
- An error is displayed that the user cannot reset his password and needs to contact helpdesk/administrator
- User contacts helpdesk
- Helpdesk verifies the user and resets the passwords either in Entra (Cloud Only) or on-prem AD (Hybrid) and sets the option require the user to change the password after signing in)
When SSPR is enabled:
- User goes to the password reset portal (or clicks Forgot password).
- User verifies identity using configured methods (MFA, phone, authenticator, etc.)
- User resets password
- Password is updated in Entra ID (Cloud only), and password is written back to on-prem Active Directory (in case of hybrid and when password writeback is enabled).
Step 1: Prerequisites for Enabling SSPR
1. Licensing Requirements
| Scenario | License Needed |
|---|---|
| Cloud-only users | Microsoft Entra ID Free |
| Hybrid users (on-prem AD synced) | Microsoft Entra ID P1 or P2 |
| Writeback to on-prem AD | Entra ID P1 or P2 |
Password writeback is required if users have accounts in on-premises Active Directory.
2. User Authentication Data
Before users can reset passwords, they must register:
- Mobile phone number
- Alternate email
- Microsoft Authenticator app
You can force registration (recommended).
Step 2: Enable SSPR
- Go to https://entra.microsoft.com
- Sign in using an account with at least Authentication Policy Administrator role
- Protection > Password reset > Properties
- Enable SSPR and choose a Pilot group to use SSPR:
Best Practice: Start with a pilot group
Step 3: Configure Authentication Methods
When users need to unlock their account or reset their password, they’re prompted for an authentication method to verify themselves. You can choose which authentication methods to allow in the authentication methods policy. If the user has updated the authentication method in his profile and if the authentication method is supported for SSPR, then he can use that method to reset his password.
- Password Reset > Authentication Methods
- Set the number to 2
- To select which methods to use for authentication go to Authentication Methods > Policies
As you can see, I have Authenticator, SMS and Email OTP enabled for all users, hence the user if enabled for SSPR will be able to use these methods to reset his password.
Avoid security questions unless absolutely required. Security questions for now can only be enabled for SSPR from Password Reset > Authentication Methods and not from the converged authentication methods policy. A strong, two-method authentication policy is always applied to accounts with an administrator role, regardless of your configuration for other users. The security-question method isn’t available to accounts associated with an administrator role.
- Behavior when SSPR is successfully enabled:
If you have setup the number of required methods for SSPR to 2 and the user has not registered for another authentication method, he will be unable to reset his password (see below). This can be avoided by requiring the users to register when signing in using the Registration policy under Password reset or an admin can manually add authentication information for the user.
- Behavior when user does not have the required authentication methods registered:
Step 4: Configure Registration Settings
Force users to register authentication info.
- Navigate to Password Reset > Registration
- Enable Require registration at sign-in
- Set the value for Number of days before users are asked to re-confirm their authentication information
This designates the time period before registered users are prompted to re-confirm their existing authentication information is still valid, up to a maximum of 730 days. If set to 0 days, registered users will never be prompted to re-confirm their existing authentication information 180 days
Step 5: Enable Notifications
To keep users informed about account activity, you can set up Microsoft Entra ID to send email notifications when an SSPR event happens. This helps detect unauthorized activity.
- Go to Password Reset > Notifications
- Turn ON –> Notify users on password resets? to let users receive an email to their primary and alternate email addresses notifying them when their own password has been reset via the Self-Service Password Reset portal
- Turn ON –> Notify all admins when other admins reset their password? to let global administrators receive an email to their primary email address when other administrators reset their own passwords via the Self-Service Password Reset Portal
Step 6: Customize User Experience
If users need more help with the SSPR process, you can customize the “Contact your administrator” link. The user can select this link in the SSPR registration process and when they unlock their account or resets their password.
- Go to Password Reset > Customization
- Turn On Customize helpdesk link
- Provide a link to an article or form or an email address
Step 7: Enable Password Writeback for SSPR (Hybrid Only)
If users exist in on-prem AD, you will need to enable password writeback to keep the passwords in sync. Depending upon whether you are using Entra Cloud Sync or Entra Connect, you will follow either of the below steps:
Option 1: When Using Entra Connect Sync
To enable SSPR writeback, first enable the writeback option in Microsoft Entra Connect. From your Microsoft Entra Connect server, complete the following steps:
- Login to the server where Entra Connect is installed and run the Entra Connect configuration wizard.
- Select Configure > Customize synchronization options, and then select Next.
- Authenticate using atleast a Hybrid Administrator credential
- On the Connect directories and Domain/OU filtering pages, select Next.
- On the Optional features page, select the box next to Password writeback and select Next.
- On the Directory extensions page, select Next.
- On the Ready to configure page, select Configure and wait for the process to finish > Exit.
Now you will also need to enable password writeback for SSPR from the Entra portal
- Go to Password reset, then choose On-premises integration.
- Check the option for Enable password write back for synced users.
- (optional) If Microsoft Entra Connect provisioning agents are detected, you can additionally check the option for Write back passwords with Microsoft Entra Connect cloud sync.
- (optional) Check the option for Allow users to unlock accounts without resetting their password to Yes
Option 2: Using Entra Cloud Sync
- Go to Password reset, then choose On-premises integration.
- Check the option for Enable password write back for synced users.
- Check the option for Write back passwords with Microsoft Entra Connect cloud sync.
- (optional) Check the option for Allow users to unlock accounts without resetting their password to Yes
Security Considerations
- Prefer Authenticator app
- Require 2 methods
- Avoid email-only setups
- SSPR works best when paired with Multi-Factor Authentication (MFA).
- Block risky locations using Conditional Access
- Require MFA for password reset using Conditional Access
- Restrict legacy authentication using Conditional Access
- Monitor Audit Logs → Password reset events
- Monitor Sign-in logs → Suspicious activity
Common Mistakes to Avoid
❌ Enabling SSPR without user training
❌ Allowing only 1 authentication method
❌ Forgetting password writeback
❌ Enabling for all users without pilot testing
❌ Using weak methods like security questions only
Best Practices Summary
✔ Start with a pilot group
✔ Require 2 authentication methods
✔ Prefer Authenticator app
✔ Enable notifications
✔ Pair with MFA and Conditional Access
✔ Educate users with screenshots or short guides