Lab 06: SSPR - Portal Solution

Step-by-step portal walkthrough for all lab tasks

---

Task 1: Enable SSPR for a Pilot Group

Step 1.1: Create the Pilot Security Group

1. Go to Microsoft Entra admin center → https://entra.microsoft.com
2. Navigate to Identity → Groups → All groups
3. Click + New group
4. Configure:
   • Group type: Security
   • Group name: SSPR-Pilot-Users
   • Group description: Users enabled for Self-Service Password Reset pilot
   • Membership type: Assigned
5. Click No members selected → Add your test users
6. Click Create

Step 1.2: Enable SSPR for the Pilot Group

1. Navigate to Protection → Password reset
2. On the Properties page:
   • Self service password reset enabled: Select Selected
   • Click No groups selected
   • Search for and select SSPR-Pilot-Users
   • Click Select
3. Click Save

✅ Checkpoint: SSPR is now enabled for only pilot users

---

Task 2: Configure Authentication Methods

1. Stay in Password reset → Click Authentication methods
2. Configure:
   • Number of methods required to reset: 2
3. Under Methods available to users, enable:
   • ✅ Email
   • ✅ Mobile phone (uncheck "Mobile phone (voice call)" if you want SMS only)
   • ✅ Mobile app notification
   • ✅ Mobile app code
   • ✅ Security questions
4. Click Save

Configure Security Questions

1. Click Security questions
2. Set:
   • Number of questions required to register: 5
   • Number of questions required to reset: 3
3. Click + Add predefined questions → Select 5 generic questions
4. Click + Add custom questions → Add each:
   • What was your childhood nickname?
   • In what city was your first job?
   • What was your first car?
   • What was the name of your first pet?
   • What is your favorite movie?
5. Click OK → Save

✅ Checkpoint: Authentication methods and security questions configured

---

Task 3: Configure Registration Enforcement

1. In Password reset → Click Registration
2. Configure:
   • Require users to register when signing in: Yes
   • Number of days before users are asked to re-confirm their authentication information: 180
3. Click Save

✅ Checkpoint: Users will be forced to register for SSPR

---

Task 4: Configure Notifications

1. In Password reset → Click Notifications
2. Configure:
   • Notify users on password resets: Yes
   • Notify all admins when other admins reset their password: Yes
3. Click Save

✅ Checkpoint: Notifications are configured for security awareness

---

Task 5: Enable Password Writeback (Hybrid Only)

Skip this if you don't have on-premises AD synced with Entra Connect

In Entra Portal:

1. In Password reset → Click On-premises integration
2. If Entra Connect is configured with writeback:
   • Write back passwords to your on-premises directory: Yes
   • Allow users to unlock accounts without resetting their password: Yes
3. Click Save

In Entra Connect (on your sync server):

1. Open Azure AD Connect wizard
2. Click Configure
3. Select Customize synchronization options
4. Check Password writeback
5. Complete the wizard

✅ Checkpoint: Password changes in cloud will sync to on-premises AD

---

Task 6: Test SSPR as a User

Step 6.1: Test Registration

1. Open a new InPrivate/Incognito browser window
2. Go to https://aka.ms/ssprsetup
3. Sign in as a pilot test user
4. You'll be redirected to Security info page
5. Click + Add sign-in method
6. Register these methods:
   • Email: Add a personal email address → Verify with code
   • Phone: Add mobile number → Verify with SMS code
   • Authenticator app: Follow setup wizard
   • Security questions: Answer your 5 custom questions

📝 Note: User must register at least 2 methods (as configured)

Step 6.2: Test Password Reset

1. Sign out of the test user account
2. Go to https://aka.ms/sspr
3. Enter the test user's username
4. Complete the CAPTCHA
5. Click Next
6. Choose verification method (e.g., "Text my mobile phone")
7. Enter the code received
8. Choose second verification method (e.g., "Answer my security questions")
9. Answer 3 of your 5 registered questions
10. Enter and confirm your new password
11. Click Finish

Step 6.3: Verify New Password Works

1. Go to https://portal.azure.com
2. Sign in with the test user
3. Use the new password
4. Verify successful login

✅ Checkpoint: Full SSPR flow tested successfully

---

Task 7: Review SSPR Activity

View Registration Activity

1. In Entra admin center → Protection → Password reset
2. Click Usage & insights (or Audit logs)
3. Or navigate to Identity → Monitoring → Audit logs
4. Filter by:
   • Service: Self-service Password Management
   • Category: Self-service password management
   • Activity: User registered for self-service password reset

View Reset Activity

1. In Audit logs, filter by:
   • Activity: Self-service password reset flow activity progress
   • Or: Reset password (self-service)
2. Review entries showing:
   • Who reset their password
   • What methods they used
   • Success or failure

Using the Usage & Insights Report

1. Navigate to Password reset → Usage & insights
2. View:
   • Registration: How many users are registered
   • Usage: How many resets occurred
   • Activity: Detailed activity log

✅ Checkpoint: You can monitor SSPR activity for compliance

---

Challenge Solutions

Challenge 1: Conditional Access for SSPR Registration

1. Go to Protection → Conditional Access
2. Click + Create new policy
3. Name: Secure SSPR Registration
4. Users: All users (exclude emergency access accounts)
5. Target resources:
   • Click User actions
   • Check Register security information
6. Conditions:
   • Locations: Configure
     • Include: Any location
     • Exclude: Your corporate IP ranges (create named location first)
7. Grant:
   • Require device to be marked as compliant
   • OR Require Hybrid Azure AD joined device
8. Session: Leave default
9. Enable policy: Report-only first → then On
10. Click Create

Challenge 2: Block Weak Passwords

1. Go to Protection → Authentication methods
2. Click Password protection
3. Under Custom banned passwords:
   • Enforce custom list: Yes
   • Custom banned password list: Add one per line:

     contoso
     c0nt0s0
     password
     passw0rd
     yourcompanyname

4. Click Save

📝 Note: Banned passwords also block common variations (leet speak, etc.)

Challenge 3: Combined Registration

Combined registration is enabled by default since late 2023. To verify:

1. Go to Protection → Authentication methods
2. Click Settings
3. Verify Manage migration is set to Migration complete or Enabled
4. Test: New user signing in will see unified Security info page for both MFA and SSPR

---

Summary Checklist

Task	Status
Created SSPR pilot group	☐
Enabled SSPR for pilot group	☐
Configured 2 methods required	☐
Enabled multiple auth methods	☐
Added custom security questions	☐
Configured registration enforcement	☐
Configured notifications	☐
Configured password writeback (if applicable)	☐
Tested registration as user	☐
Tested password reset as user	☐
Reviewed SSPR audit logs	☐