How to setup Self-Service password reset in Microsoft 365

Self-Service password reset (or SSPR) when enabled will show "I forgot my password" link under the Microsoft 365 password page. In order for a user to be able to self reset his/her password there needs to be a secondary authentication mechanism connected to the user.

Configuring "Authentication methods" to be used by Self-Service password reset

There are two main authentication methods, either through a secondary email or phone. On the phone side you can use Authenticator app or receive a code through SMS. This last one isn't as secure because sms can be spoofed while the authenticator App uses your phone identity service.

  • Access the Password reset blade through the Azure Active Directory portal.
  • On the left side sub menu select Authentication Methods
  • From the Methods list select which options should be available to the user when resetting the password. Here's a quick explanation of each one:
    • Mobile app notification: this can never be the only one, so it's only selectable when you have 2 required methods to reset the password.
      The user needs to have the Authenticator App configured and will get a pushed notification on their phone to allow the login.
    • Mobile app code: Exact same as Mobile app notification but instead of receiving a notificatoin the user needs to open the Authenticator App, select his/her Microsoft 365 account and a continuously changing random code will show which needs to be used to reset the password.
      The user needs to have the Authenticator App configured
    • Mobile phone: This is the normal "A message with a code was sent to your phone" method of proving your identity to reset the password. The only requirement for this is the user needs to have a mobile phone connected to his/her azure profile.
    • Email: It's through a secondary email and as with the phone number, an alternative email must be configured on the user's account
    Microosft 365 self service password reset methods
  • After the authentication methods are set, select Properties from the left side menu.
  • Then you just need to enable the Self Service Password reset to either "Selected" or "All". Please keep in mind that if you select All it means All users in the tenant need to have at least one of the methods you selected on the previous step configured. If they don't then the next time they try to log in they'll be prompted to configure it. Example, if you set "Mobile phone" and they don't have a phone connected to their account they'll need to enter it.
  • If you think applying to All is to radical then you can do it through "Selected" groups. Create a group, for instance called "Password Self Reset" and click on "Selected" and then choose that group. This way you can start activating this feature in batches to users and provide support.
    selected group for self password reset

How can I configure users phone number for them ?

Some Microsoft 365 administrator have somewhere a list of phone numbers and the respective users and would like to configure the Mobile Phone authentication method for them.

  • Open Users in Azure Active Directory
  • Search and open a specific User
  • On the left menu click Authentication methods
  • If you are using the new view of this sub page click on "+ Add authentication method" or simply fill the phone input field.