SSPR (Self Service Password Reset) is a feature provided by Microsoft that allows enrolled users to reset their own passwords, with no administrator or help desk involvement.
The helpdesk team is contacted first when an account gets locked, or a user forgets a password.
It would be really helpful if users could unblock their accounts and resume working, that reduce the dependency and downtime for end user.
It is important to consider the different types of users within your Microsoft 365 tenant when planning for SSPR and how it will handle each user's request to reset their own passwords.
In this blog will cover cloud based SSPR
Azure AD Self-Service Password Reset Prerequisites
Azure AD tenant enabled at least with a free or trial license.
In the Free tier, users with Azure AD accounts can change their passwords, but not reset them.
Users with global administrator access.
A non-administrator user with a password you know, for testing
A group that the non-administrator user is a member of, likes SSPR-Group.
Set up self-service password resets in Azure AD
To enable self-service password to reset for users in Azure AD, sign in to the Azure portal using an account with global administrator permissions.
On the left side of the Azure portal, search for and select Azure Active Directory, then select Password reset.
You can find below options under the option Self-service password reset enabled on the Properties page.
You can specify whether users within this directory can change their passwords by using this setting. To restrict password reset to a limited group of users, select "Selected".
You will need to select which user groups get access to the self-reset options if you choose this option.
Password reset policy saved will appear in notifications. The self-service password reset for users in Azure AD is enabled.
Authentication methods in AAD
A user must register at least one authentication method to be enabled for SSPR. It is strongly recommended that you offer two or more authentication methods, so your users have more options if one method is inaccessible when they need it.
The following authentication methods are available for SSPR:
Mobile app notification
Mobile app code
Office phone (available only for tenants with paid subscriptions)
A different verification method is required when user accounts need to be unlocked or passwords changed.
Based on the registration information the user provides, you can choose which authentication methods to allow.
Choose Authentication methods and make sure to set at least 1 method for password reset or you can also select 2 methods if you wish to be more secure.
Users to register when they sign in
Users must register their contact information before being able to unlock their account or change their password.
This workflow includes the following applications:
Custom applications using Azure AD
Azure AD can prompt the users for registration when they sign in the next time.
Select the Registration page from the Password Reset window and select Yes for Require users to register when logging in.
Turn on 180 days before users must reconfirm their authentication information.
Make sure the contact information is current. An outdated contact information may prevent a user from unlocking their account or resetting their password.
Note: Users can dismiss the SSPR registration portal by selecting cancel or by closing the window. However, they're prompted to register each time they sign in until they complete their registration.
Experience SSPR as End user.
Users can either visit https://aka.ms/ssprsetupor select the Register for password reset link under the Profile tab in the Access Panel.
Reset your password by following the verification steps. Once you're done, you'll receive an email notification that you've been redirected.
Incase you received below error message than please register your signing info and proceed further
Open the web browser on your device and go to the Security info page.