How to enable Self Service Password Reset Portal – Part 1

Microsoft Azure Self Service Password Reset Portal (SSPR) provides users to reset/change password or unlock account without calling the Service Desk. SSPR Portal is accessible any location and device and easy to use by providing simple user experience even without sacrificing the security. I am going to explain best practices of enabling the SSPR portal based on my field experience. If you have one of the following environment you can benefit using the SSPR in organization.

  • Hybrid identity users (where on-premises Active Directory users syncs to Azure Active Directory via AD Connect tool)

In this most common scenario where password write back to on-prem Active Directory via AD Connect tool.

If you are working in a large organization and have strict password change and account lock policy in on-prem AD, it might be challenge for you to manage password requests for the end users once the password expired or their account locked. Your Service Desk/Help Desk might receive a lot of calls and increase your resource cost or reduce users’ productivity to spend time wait for the Service Desk. Especially if you have multiple county-based organizations and time differences with countries it might be challenge for the organization to manage passwords.

  • In-cloud only users (where you can store the new password in Azure AD)

In this scenario, users’ accounts stores in Azure AD and there is no integration with on-prem AD. Users can use SSPR and perform password change from anywhere.

Note: For users who have Password hash synchronization (PHS) disabled, SSPR stores the passwords in the on-prem Active Directory only.

License requirement for the SSPR;

Feature Azure AD Free Microsoft 365 Business Standard Microsoft 365 Business Premium Azure AD Premium P1 or P2
Cloud-only user password change
When a user in Azure AD knows their password and wants to change it to something new.
Cloud-only user password reset
When a user in Azure AD has forgotten their password and needs to reset it.
Hybrid user password change or reset with on-prem writeback
When a user in Azure AD that’s synchronized from an on-premises directory using Azure AD Connect wants to change or reset their password and also write the new password back to on-prem.

More details : License self-service password reset – Azure Active Directory – Microsoft Entra | Microsoft Docs

In this post we will discuss below topics;

  • Enabling password-writeback feature in AD Connect tool
  • Configure the Self Service Password Reset Portal
Enabling Self service password reset
Authentication methods
On-premises Integration
Combined registration for SSPR and MFA
  • User registration and usage experience

What is the password-write back feature?

Password-write back is one of the feature in AD Connect which ensures that when a password changes in Azure AD (password change, self-service password reset, or an administrative change to a user password) it is written back to the local AD – if they meet the on-premises AD password policy.

How to enable password writeback feature?

Step 1: Setting Account permission for the Azure AD Connect service account

You need to ensure that following permissions set for the AD Connect service account. Unfortunately I have seen that many admins assigns Enterprise admin permission in AD Connect Service account which is not recommended at all! You need assign only required permission for the service account. If you are not one of them and use selective permission kindly follow following steps to assign reset password permission for the service account.

Reset password

Write permissions on lockoutTime

Write permissions on pwdLastSet

How to check whether I have reset password permission or not?

Right click to AD Domain properties

Click Advanced


Look at your service account name and access permissions, You can check each permission by double clicking and find out whether you have required permission or not.

How to assign the permission?

Right click to Domain name and choose delegate control.

Click Next.

Add your service account which you want to assign the permissions.

Choose “Create a custom task to delegate” and click Next.

Select “User Object” and click Next.

Choose “General” and “Propert-spesific” options and mark above three permissions.

Reset password

Write permissions on lockoutTime

Write permissions on pwdLastSet

Click Finish.

Step 2: Enabling the password writeback feature.

When you run the AD Connect ensure that your setup account has Global Admin role in Office 365 (Temporary), once you enable the feature you can remove the role.

  1. Sign in to your Azure AD Connect server and start the Azure AD Connect configuration wizard.

  2. On the Welcome page, select Configure.

  3. On the Additional tasks page, select Customize synchronization options, and then select Next.

  4. On the Connect to Azure AD page, enter a global administrator credential for your Azure tenant, and then select Next.

  5. On the Connect directories and Domain/OU filtering pages, select Next.

  6. On the Optional features page, select the box next to Password writeback and select Next.

Once you finished the setup you can access to Azure Active Directory portal and verify the writeback status. The checkmark automatically selected post configuration.

Configure the Self Service Password Reset Portal

Password writeback feature is ready. So, how do we enable SSPR?

From the Azure portal, select Azure Active Directory, then Users, and finally Password reset.

Here, we have the option to activate Self Service Reset Portal for selected users or groups or all
users within the tenant. I would strongly suggest you start with pilot users within the security group. Once you ensure that services work fine and complete the pilot tests, you can make it available for all.

Here, we configure the required authentication methods. My suggestion is to move forward with 2 authentication methods where we can ask users to submit Mobile SMS as well as MFA prompt or you can define security questions based on your requirement.

Note: If you select the Email option enabled, user can submit their personal email address as an authentication method which is not recommended as email can be compromised easily. Go for office phone as the other option instead Email.

Here, we can force users to register their authentication methods in the first sign-in and number of the days before users are asked to re-confirm their authentication info. 

One of the important settings is keeping the notifications enabled for end users and admins. Once the end user performs the password reset, the user will receive a password reset notification email that makes them aware that the request was made by them or not.

Another option is providing an account unlock feature with the SSPR. Normally when you perform the password reset it resets the password and unlocks the account but you might have such cases that you need to provide only the account unlock option with SSPR instead password reset each time. I would suggest you enable this feature as well.

Before combined registration, users registered authentication methods for Azure AD Multi-Factor Authentication and self-service password reset (SSPR) separately. People were confused that similar methods were used for Multi-Factor Authentication and SSPR but they had to register for both features. Now, with combined registration, users can register once and get the benefits of both Multi-Factor Authentication and SSPR.

If you have a new tenant the option is by default enabled, if you have a tenant that you didn’t create recently, this option might be not selected. Strongly recommended to enable this option for your SSPR users to reduce the complexity of the registration process.

More details: Combined registration for SSPR and Azure AD Multi-Factor Authentication – Azure Active Directory – Microsoft Entra | Microsoft Docs

Part 2: How to enable Self Service Password Reset Portal – Part 2 (