Lab 06: Self-Service Password Reset (SSPR)
Difficulty: Intermediate
Duration: 45-60 minutes
License Required: Entra ID P1 (for all users) or Free (for admins only)
Objectives
By the end of this lab, you will be able to:
- Enable and configure Self-Service Password Reset
- Choose authentication methods for SSPR
- Configure registration enforcement
- Test the SSPR user experience
- Monitor SSPR usage and activity
Prerequisites
- [ ] Azure subscription with Entra ID P1 license (or Free for admin-only)
- [ ] Global Administrator or Authentication Policy Administrator role
- [ ] A test user account to verify SSPR
- [ ] Access to the test user's email or phone for verification
Scenario
Contoso IT receives hundreds of password reset tickets monthly. The help desk spends significant time on routine password resets instead of more valuable work. You've been tasked with implementing Self-Service Password Reset to:
- Reduce help desk tickets by 50%
- Allow users to reset passwords 24/7 (not just business hours)
- Maintain security by requiring multiple verification methods
- Track SSPR usage for compliance reporting
Lab Tasks
Task 1: Enable SSPR for a Pilot Group
Before rolling out to all users, you need to pilot SSPR with a specific group.
Requirements:
- Create a security group called
SSPR-Pilot-Users - Add 2-3 test users to the pilot group
- Enable SSPR for only the pilot group (not all users)
Verification:
- [ ] SSPR is set to "Selected" (not "All" or "None")
- [ ] Only the pilot group is selected
Task 2: Configure Authentication Methods
Users need at least 2 methods to reset their password. Configure appropriate methods.
Requirements:
- Require 2 methods to reset
- Enable these methods:
- Mobile phone (SMS only, no voice for security)
- Authenticator app notification
- Authenticator app code
- Security questions (5 questions to register, 3 to reset)
- Add at least 5 custom security questions
Custom Security Questions to Add:
- What was your childhood nickname?
- In what city was your first job?
- What was your first car?
- What was the name of your first pet?
- What is your favorite movie?
Verification:
- [ ] Number of methods required is set to 2
- [ ] At least 4 authentication methods are enabled
- [ ] Security questions are configured with custom questions
Task 3: Configure Registration Enforcement
Ensure users register for SSPR before they need it.
Requirements:
- Force users to register when signing in
- Allow users to skip registration for 14 days maximum
- Require users to reconfirm their info every 180 days
Verification:
- [ ] Registration is required at sign-in
- [ ] Days before users are asked to re-confirm is 180
- [ ] Interrupt mode is configured
Task 4: Configure Notifications
Set up proper notifications for security awareness.
Requirements:
- Notify users when their password is reset
- Notify all admins when ANY admin resets their password
Verification:
- [ ] User notifications are enabled
- [ ] Admin notifications for admin resets are enabled
Task 5: Enable Password Writeback (Hybrid Only)
If you have Entra Connect syncing from on-premises AD:
Requirements:
- Enable password writeback in Entra Connect
- Allow users to unlock accounts without resetting password
Verification:
- [ ] Password writeback is enabled (if applicable)
- [ ] Account unlock is enabled (if applicable)
Note: Skip this task if you don't have on-premises AD
Task 6: Test SSPR as a User
Test the complete SSPR experience from a user perspective.
Requirements:
- Sign in as a pilot user
- Complete SSPR registration (register at least 2 methods)
- Sign out
- Go to the password reset portal
- Complete a password reset using your registered methods
- Sign in with the new password
Testing URLs:
- Registration:
https://aka.ms/ssprsetup - Password Reset:
https://aka.ms/sspr
Verification:
- [ ] User was prompted to register for SSPR
- [ ] User successfully registered 2+ methods
- [ ] User successfully reset password via SSPR
- [ ] User can sign in with new password
Task 7: Review SSPR Activity
Monitor SSPR usage for compliance and troubleshooting.
Requirements:
- View the Password reset registration activity report
- View the Password reset activity report
- Identify any failed reset attempts
Verification:
- [ ] Can view registration activity
- [ ] Can view reset activity
- [ ] Understand the audit log entries
Challenge Tasks (Optional)
Challenge 1: Conditional Access for SSPR Registration
Create a Conditional Access policy that requires users to be on the corporate network OR a compliant device to register for SSPR.
Hint: Target "User actions" → "Register security information"
Challenge 2: Block Weak Passwords
Configure custom banned passwords to prevent users from using company-related terms.
Add these to banned password list:
- contoso
- password
- company name variations
Challenge 3: Combined Registration
Verify that MFA and SSPR registration is combined into a single experience. Test registering a new user for both simultaneously.
Key Concepts to Remember
| Concept | Description |
|---|---|
| Methods Required | Number of verification methods user must complete |
| Registration Enforcement | Forces users to set up SSPR proactively |
| Password Writeback | Syncs cloud password changes to on-premises AD |
| Security Questions | Additional verification method (not recommended as primary) |
| Notifications | Alerts users and admins of password changes |
Common Issues and Troubleshooting
| Issue | Possible Cause | Solution |
|---|---|---|
| User not prompted to register | Not in SSPR-enabled group | Add user to pilot group |
| "Password reset is not enabled" | SSPR set to None | Enable for Selected or All |
| Writeback failing | Entra Connect not configured | Enable writeback in Connect |
| User can't reset | Not registered | User must register first |
| Registration not saving | Licensing issue | Verify P1 license assigned |
Clean Up
If this was a test environment:
- Consider keeping SSPR enabled (it's a security best practice!)
- Expand from pilot group to all users
- Remove test security group if no longer needed