Configure self-service password reset – Manage Azure identities and governance – AZ-104 Study Guide

Configure self-service password reset

The password reset is one of the highest cost-incurring activities for many organizations, and many organizations have dedicated front-line help desks to handle such requests. Self-service password reset (SSPR) allows users to reset their own passwords in Microsoft Entra ID, including the ability to optionally write the password back to an on-premises environment when prop- erly licensed and configured by using password writeback and Entra Connect or Entra Connect Sync. SSPR allows users to change their passwords, reset their passwords when they cannot sign in, and unlock their accounts, all without the intervention of an IT department.

Each scenario above addresses both cloud-only and hybrid users. Also, licensing requirements vary. Table 1-1 details each scenario, the type of user it applies to, and any required licenses.

TABLE 1-1 Self-service password reset license requirements

ScenarioUser TypeLicense Requirements
Password ChangeCloud-only userIncluded in all license types of Entra ID
Password ResetCloud-only userMicrosoft 365 Business Standard, Microsoft 365 Business Premium, Entra ID P1, Entra ID P2
Password Change/Unlock/ResetHybrid userMicrosoft 365 Business Premium, Entra ID P1, Entra ID P2

SSPR can be enabled through the Azure portal by browsing to your Entra tenant and selecting Password Reset. When enabling SSPR, you can scope the functionality to a group, which will allow you to roll out the feature in waves as users are onboarded into the service. As a part of configuration, you will also select the Authentication Methods for SSPR: Mobile App Notification, Mobile App Code, Email, Mobile Phone, Office Phone, and/or Security Questions (as shown in Figure 1-13). Finally, using the Registration blade, you will configure registra-

tion options such as whether registration is required to use SSPR and the number of days for

reconfirmation.

FIGURE 1-13 Configure SSPR authentication methods

Additionally, you can also control how notifications are triggered to users and admins using the Notifications blade. There is an option available to customize a helpdesk link to notify the administrator directly, which can be configured using the Customization blade. If on-premises integration is enabled, you can also control writeback passwords to your on-premises directory and allow users to unlock accounts without resetting their passwords using the On-Premises Integration blade.

Skill 1.2: Manage access to Azure resources

Access control in Microsoft Azure is an important part of an organization’s security and compliance requirements. Implementing role-based access control (RBAC) defines access rights at a very granular level, based on each user’s assigned tasks or the day-to-day activities those users need to perform in their roles. This ensures that each person can perform the task they need to accomplish.