Self-Service Password Reset – Azure AD Premium

In today’s world, the user doesn’t want to consider any downtime due to any IT constraints, and to minimize that constraint Self-Service comes into the picture. Self-service has long been a key goal for IT departments across the world as a minimized downtime, cost-reduction, and labor-saving measure. Indeed, the market is flooded with various products such as Microsoft System Center Orchestrator that can let you manage your groups, passwords, or user profiles. Azure Active Directory (Azure AD) sets itself apart from other offerings by providing some of the easiest-to-use and most powerful self-service capabilities available today. This post will be focused on how to automate the password reset using Self-Service Password Reset on Azure new portal(Resource Manager) in case of end-user forgot the password so the end-user will get minimum downtime.

Azure AD Password Management is a set of capabilities that allow your users to manage any password from any device, at any time, from any location, while remaining in compliance with the security policies you define.

If an organization is already using Office365 then the organization’s identities(users) are already synced in the cloud or in the hybrid scenario but still, you need to upgrade from Free Azure AD to Azure AD Premium to leverage these features.

Let’s dig on.

1. Open a browser of your choice and go to the Azure portal. Log in with your credentials and click on Azure Active Directory.
   

2. Here, the Azure AD edition is Free so first need to activate the Premium edition. Click on Password Reset->Get a free Premium trial to use these features.

3. Select Azure AD Premium.

4. Click on Activate.

5. Click on Password reset->Configure.

6. If you don’t want to enable SSRP for all the users then you can create a group and assign members. Here, the SSRP group name is AAD Premium Group and members are UserOne, UserTwo and Sakaldeep.

7. Click on Enable button to enable Azure AD Premium features for selected groups of users.

8. After enabling SSPR, now need to configure password reset policy such as authentication method, user registration, end-user, and admin notification. Here both email and mobile phone have been selected for the end-user authentication method while resetting passwords.

9. Below policy is required if you want the end user should go through the registration process to provide the current mobile number and email address before resetting the password. Here, registration is required.

10. Below policy will send email notifications to both the end user and admin after every password reset.

11. Now we are done with admin-level configuration. First, need to register the user to the registration portal. In order to use the password reset registration portal, you must provide the users in your organization with a link to this page (http://aka.ms/ssprsetup) or turn on the option to require users to register automatically. Once they click this link, they are asked to sign in with their organizational account. After doing so, they see the following page.

12. Here, users can provide and verify their mobile number, alternate email address, or security questions.

13. Enter your valid mobile number and verify it.

14. Now verify your alternate email address.

15. After verifying both mobile numbers and email addresses, the page will look like the one below.

16. Registration has been done, now let's reset the password using self-service portal at portal.microsoftonline.com.

17. Click on Can’t access your account?

18. Enter the user ID and security verification code and click on the Next button.

19. Choose a verification method, here I am choosing an alternate email.

20. You will receive an email having the verification code.

21. Verify your email using the code received in the email.

22. Once your email will be verified, you will be prompted to reset the password for the account.

23. Finally your password has been reset.

24. After the successful password reset, the end user and admin will receive the email as shown below.

25. Admin can also see the log of all password reset activities as shown below.

In the same manner, you can also reset your password using your registered mobile number.