Looking for security documentation and consultancy? Visit ridgelinecyber.com
Sign In

AD1.6 Self-Service Password Reset

5-6 hours · Module 1 · Free
Operational Objective
Password resets are the single highest-volume helpdesk ticket in most organisations — accounting for 20-40% of all IT support requests. Every reset costs 15-30 minutes of helpdesk time and 5-30 minutes of user downtime. Self-service password reset (SSPR) lets users reset their own passwords securely — verifying their identity through MFA methods they've already registered — without calling the helpdesk. This reduces ticket volume, eliminates the social engineering vector where an attacker calls the helpdesk pretending to be a locked-out employee, and gives users immediate access recovery outside business hours. If your users currently call the helpdesk for every password reset, SSPR pays for itself in the first week.
Deliverable: SSPR configured for all users with appropriate authentication methods, registration enforcement, and on-premises password writeback (for hybrid environments). The helpdesk password reset volume drops by 70-80%.
Estimated completion: 25 minutes
PASSWORD RESET: HELPDESK vs SELF-SERVICEWITHOUT SSPRUser locked out → calls helpdesk → waits on holdHelpdesk verifies identity (how?) → resets passwordElapsed time: 15-45 minutes. Cost: £25-50 per reset.After hours? User waits until morning.Social engineering risk: attacker impersonates user.20-40% of all helpdesk ticketsWITH SSPRUser locked out → goes to aka.ms/ssprVerifies identity via Authenticator app or phoneResets password immediately. Elapsed: 2 minutes.Works 24/7. No helpdesk needed. No waiting.Identity verified cryptographically, not by voice.Helpdesk reset volume drops 70-80%

Figure AD1.6 — Password reset with and without SSPR. Self-service resets are faster, cheaper, available 24/7, and more secure (identity verified by MFA rather than by a helpdesk technician asking "what's your employee number?"). Configure SSPR and your helpdesk thanks you.

Configuring SSPR

Navigate to entra.microsoft.com → Protection → Password reset. The configuration has four key sections.

Properties: Set “Self-service password reset enabled” to “All” (all users). You can start with a pilot group if you want to test first, but SSPR has minimal blast radius — users who don’t need it simply never use it, and users who do need it get an immediate benefit.

Authentication methods: Set “Number of methods required to reset” to 2 (this means the user must verify their identity with two methods, matching MFA strength). Under “Methods available to users,” enable Microsoft Authenticator notification, Authenticator app code, email (a secondary email address), and mobile phone. Disable “Security questions” — they’re easily guessable or researchable through social media. The strongest configuration uses the methods the user has already registered for MFA, which means SSPR registration and MFA registration converge.

Registration: Set “Require users to register when signing in” to “Yes” and set “Number of days before users are asked to reconfirm” to 180. This ensures every user has SSPR methods registered and periodically re-validates them.

Notifications: Enable “Notify users on password resets” (the user gets an email when their password is reset — if they didn’t initiate it, this is an early warning of compromise) and “Notify all admins when other admins reset their password” (any admin password reset triggers notification to all other admins — a critical alert for detecting admin account compromise).

Password writeback for hybrid environments

If your environment uses Azure AD Connect to sync on-premises Active Directory with Entra ID (which NE does), you need password writeback enabled. Without writeback, a user who resets their password via SSPR changes only the cloud password — their on-premises AD password stays the same, and they can’t log into domain-joined devices with the new password.

Password writeback is configured in the Azure AD Connect wizard on your sync server. Open Azure AD Connect → Configure → Customize synchronization options → Optional features → check “Password writeback.” After enabling writeback, SSPR password changes propagate to on-premises AD within seconds.

If you’re running Azure AD Connect Cloud Sync instead of the classic Azure AD Connect, password writeback is enabled in the Entra admin center → Hybrid management → Azure AD Connect → Cloud Sync → Password writeback toggle.

Test writeback after configuration: have a user reset their password via aka.ms/sspr, then attempt to log into a domain-joined workstation with the new password. If the login succeeds, writeback is working. If it fails, check the Azure AD Connect sync service logs for writeback errors — the most common issue is insufficient permissions for the AD Connect service account in Active Directory.

Expand for Deeper Context

SSPR and MFA registration convergence is worth understanding. In modern Entra ID, users register MFA methods and SSPR methods through the same interface — aka.ms/mysecurityinfo (My Security Info page). A user who registers Microsoft Authenticator for MFA automatically has it available for SSPR. This means that if you’ve already completed the MFA registration campaign from AD1.3, most of your users are already registered for SSPR — you just need to enable the SSPR policy.

The convergence also means you should configure the SSPR authentication methods to match or be a subset of your MFA methods. If you require two methods for SSPR, and the user has registered Authenticator + phone for MFA, both methods are available for SSPR without any additional registration.

One practical consideration: the “email” method for SSPR uses an alternate email address (personal email), not the user’s corporate email (which they can’t access when they’re locked out). During registration, users are prompted to provide a secondary email. If they skip this, they have one fewer SSPR method available. For users with only one registered method who need two for SSPR, the fallback is a helpdesk-assisted reset — which is fine because it’s only needed when the user also can’t access their phone.

The security benefit most people miss

SSPR isn’t just a convenience feature — it’s a security control. Helpdesk password resets are a known social engineering vector. An attacker calls the helpdesk, claims to be a locked-out employee, provides enough personal information to satisfy the identity verification (employee number, date of birth, manager’s name — all findable on LinkedIn or through prior reconnaissance), and the helpdesk technician resets the password. The attacker now has a fresh password for the account.

SSPR eliminates this vector because the identity verification happens through cryptographic methods (Authenticator app, FIDO2 key) that the attacker can’t replicate over a phone call. The helpdesk technician is removed from the password reset flow entirely for standard users, which means there’s no human to social engineer.

For your helpdesk team, this also means they should be trained to decline password reset requests: “Our policy requires self-service password reset through aka.ms/sspr. If you’re unable to complete the self-service process, I can help you with SSPR registration, but I cannot manually reset your password.” This is a hard line to hold — but it’s the line that prevents social engineering attacks against your helpdesk.

Banned password lists — stop weak passwords at the source

While you’re configuring SSPR, configure custom banned passwords. Navigate to entra.microsoft.com → Protection → Authentication methods → Password protection. Enable “Custom banned password list” and add terms specific to your organisation: company name, product names, office locations, and common variations. Entra ID already blocks thousands of common weak passwords globally, but the custom list catches organisation-specific patterns like “Northgate2026!” or “Engineering1” that the global list doesn’t know about.

Set “Mode” to “Enforced” (not “Audit” — banned passwords should be blocked, not logged). Set “Enable password protection on Windows Server Active Directory” to “Yes” if you have hybrid environment — this extends the banned password check to on-premises AD password changes as well, so users can’t set weak passwords locally and have them sync to the cloud.

The combination of SSPR and banned passwords means users can reset their own passwords 24/7, and the new password they choose is automatically checked against both the global banned list and your custom list. A user trying to set “Northgate123!” gets rejected immediately with a message to choose a stronger password. No helpdesk intervention needed.

Monitoring SSPR activity

SSPR generates audit events that you should monitor, especially in the first two weeks after deployment. Navigate to entra.microsoft.com → Protection → Password reset → Audit logs. The key events to watch for:

“Self-service password reset flow activity completed” — this is a successful SSPR reset. Expect a steady volume as users adopt the feature. A sudden spike (10+ resets in an hour from different accounts) could indicate an attacker testing stolen credentials against the SSPR flow.

“User blocked from self-service password reset” — this means a user tried SSPR but couldn’t complete the identity verification (wrong MFA method, expired registration, too many failed attempts). Check whether this is a legitimate user who needs registration help or an attacker failing to verify a stolen identity.

“Self-service password reset flow activity progress” — this captures each step of the SSPR flow, including which verification methods were used and whether each step succeeded or failed. Useful for troubleshooting when a user reports “SSPR isn’t working.”

One particularly valuable SSPR monitoring pattern: if you see a “Self-service password reset flow activity completed” event for a user who also has a “Leaked credentials” risk detection in Identity Protection, the password reset is almost certainly a legitimate user responding to your notification that their credentials were found in a breach database. Correlating SSPR events with risk detections confirms that your notification process is working — users are receiving the leaked credential notification and proactively resetting their passwords. Add these audit events to your Monday morning review alongside the sign-in log check and the Defender incident queue review. Total addition to your weekly monitoring: 2 minutes.

Compliance Myth: "Self-service password reset is less secure than helpdesk resets because anyone could reset anyone's password"
The opposite is true. SSPR requires the user to verify their identity through two registered MFA methods — the same methods that protect their sign-in. Helpdesk resets typically verify identity through knowledge-based questions (employee number, date of birth, mother's maiden name) that are trivially guessable, researchable, or obtained through social engineering. SSPR is cryptographic verification. Helpdesk verification is a conversation. The cryptographic method is stronger by every measure.
Decision point

You’ve enabled SSPR for all users. A senior manager calls the helpdesk and says: “I’m locked out and the self-service reset isn’t working — it says I need to verify with my Authenticator app but I left my phone at home. Can you just reset my password?” The helpdesk technician asks you what to do. What’s the correct procedure?

Option A: Reset the password manually — the manager is clearly who they say they are.

Option B: Tell the manager to go home and get their phone, then use SSPR.

Option C: Issue a Temporary Access Pass for the manager’s account, have them sign in with the TAP, re-register an alternative MFA method (office phone number), and then use SSPR with the newly registered method.

The correct answer is Option C. You shouldn’t manually reset the password because you can’t verify the caller’s identity with the same confidence that SSPR provides — the call could be a social engineering attempt. Sending them home is impractical and creates unnecessary downtime. A Temporary Access Pass provides a secure, time-limited credential that the admin generates in the Entra portal (Users → Authentication methods → Temporary Access Pass), gives to the user through a verified channel (in person if they’re in the office, or via verified callback to a known number), and expires automatically. The user signs in, registers a backup MFA method, and can then use SSPR normally for future resets.

Try it: Enable SSPR in your tenant

Navigate to entra.microsoft.com → Protection → Password reset → Properties. If SSPR is currently set to “None,” change it to “All.” Configure the authentication methods (2 methods required, Authenticator + phone + email), enable registration enforcement, and enable notifications.

Test SSPR yourself: open a private browser, navigate to aka.ms/sspr, enter your username, and follow the password reset flow. Verify you’re prompted for two verification methods. Complete the reset and verify the new password works for sign-in.

If you have a hybrid environment with Azure AD Connect, test password writeback: reset your password via SSPR and then log into a domain-joined machine with the new password. If the domain logon fails, the writeback is not working — check the Azure AD Connect configuration.

Check the SSPR audit log: navigate to entra.microsoft.com → Protection → Password reset → Audit logs. Every SSPR event is logged here — successful resets, failed resets, registration events. This is the log you’ll check if you suspect an attacker is attempting to reset a user’s password through SSPR.

A user resets their password via SSPR at 23:30 on a Friday night. Nobody from IT is online. On Monday morning, the user's manager reports that emails were sent from the user's account over the weekend that the user didn't write. What's the most likely explanation?
SSPR malfunctioned and gave access to someone else — Extremely unlikely. SSPR requires registered MFA methods for verification. A malfunction wouldn't grant access to an unregistered person.
The user's account was already compromised, and the attacker reset the password through SSPR using MFA methods they had registered on the account — Most likely. If the attacker had previously compromised the account and registered their own MFA methods (a common persistence technique), they could use SSPR to reset the password and maintain access. Check the Entra audit log for MFA method registrations on this account. If you see an unfamiliar device or phone number registered, the attacker added their own MFA before using it for SSPR.
Someone at the helpdesk manually reset the password — Unlikely at 23:30 on a Friday. But check the admin audit log to verify no admin-initiated password reset occurred.
The user reset their password because they were compromised and the new password has been phished too — Possible but less likely. The user initiated the legitimate SSPR, but the account was re-compromised through an existing session token or a secondary access method. Check for active sessions from unknown IPs alongside the password reset event.
Operational Artifact — SSPR Configuration Checklist
SSPR deployment checklist: enable SSPR for all users, require 2 authentication methods (Authenticator + phone), enforce registration on sign-in, enable notifications for both users and admins, configure password writeback if using Azure AD Connect, test SSPR from a private browser session, test writeback to a domain-joined device, and train the helpdesk to redirect password reset requests to aka.ms/sspr. Post-deployment: monitor the Password reset audit log weekly and track helpdesk ticket volume for password resets — expect a 70-80% reduction within the first month.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of M365 Security: From Admin to Defender

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus
← Previous Next →