Implementing Azure AD self-service password reset (SSPR)_Microsoft 365 Security Administration：MS-500 Exam Guide-QQ阅读男生玄幻网

书名：Microsoft 365 Security Administration：MS-500 Exam Guide
作者名：Peter Rising
本章字数：948字
更新时间：2021-06-18 18:57:28

Implementing Azure AD self-service password reset (SSPR)

One of the common challenges faced by IT administrators is responding to user requests to reset forgotten passwords. This issue is addressed in Azure AD by self-service password reset (SSPR).

SSPR allows Azure AD users to reset their own passwords without the need to contact their IT department. In order to use this feature, users must complete a registration process, during which they will need to choose one or more authentication methods that have been set up by administrators in Azure AD.

When planning for SSPR, you need to consider the different types of user identities within your Microsoft 365 tenant and how SSPR will behave when users wish to reset their own passwords. These are as follows:

In-cloud only users
Hybrid identity users

Both user types can register for and use SSPR, but the experience and license requirements will differ. In-cloud user passwords are stored within Azure AD, whereas hybrid identity users will need to be enabled for password writeback, which is a feature of Azure AD Premium P1 licensing. With password writeback, users will use SSPR to reset their password, where it is then written back to on-premises Active Directory.

Setting up SSPR

So, how do we set this up? The first step, as an administrator, is to enable the feature in Azure AD and to set up the available user authentication methods. To do this, follow these steps:

From the Azure portal, select Azure Active Directory, then Users, and finally Password reset.
Here, we have the option to activate SSPR for selected users or groups, or for all users within the tenant:

Figure 2.16 – Password reset-Properties
Next, we set up the Authentication methods. I recommend requiring two methods to perform the password reset. There are six methods available in total, as shown in the following screenshot:

Figure 2.17 – Password reset-Authentication methods
Next, we can configure the user Registration options. This setting will determine whether users must register for SSPR the next time they sign in, as well as the number of days before the user must reconfirm their authentication information:

Figure 2.18 – Password reset-Registration
It is also possible to set notifications to alert users when their password is reset, and also alert admins when another admin resets their password:

Figure 2.19 – Password reset-Notifications
There is also the option to enable a custom helpdesk link or email address for users who may be struggling with this feature:

Figure 2.20 – Password reset-Customization
Finally, configure the on-premises integration. If the password writeback feature is not enabled in your Azure AD Connect configuration, you will need to rerun the AADC setup wizard with a custom installation and ensure that the setting is selected:

Figure 2.21 – Password reset-On-premises integration
The Password writeback option can be enabled from the Optional features section of the AADC setup wizard:

Figure 2.22 – Optional features

Now that we have finished setting up SSPR, let's take a look at how users can register for the feature.

Registering for SSPR

Users can complete the registration process for SSPR by accessing the following URL: https://aka.ms/ssprsetup/

The user will be prompted to provide their user ID and will be taken to the following page. Before continuing, they will be prompted to re-enter their current password:

Figure 2.23 – Confirm your current password

Next, they will be prompted to enter authentication responses based on how their Microsoft 365 administrator has set up SSPR. In the following example, the user must register an authentication phone number, along with an authentication email address:

Figure 2.24 – Don't lose access to your account!

Finally, the user will click finish and the registration process will be complete.

Using SSPR to reset passwords

Now that the user has registered for SSPR, it is ready to be used when needed. If they need to reset their password, they can do so by going to https://aka.ms/sspr/ and completing the following steps:

Enter your User ID and complete the CAPTCHA, and then click Next:

Figure 2.25 – Get back into your account
Based on the number of authentication challenges defined in the registration process, the user now needs to enter their authentication email and mobile phone details in turn:

Figure 2.26 – Get back into your account
Once they have completed the two-step authentication, they are now able to enter a new password for their account:

Figure 2.27 – Get back into your account
Once completed, they will see the following message:

Figure 2.28 – Password reset message
The registration process is now complete.

Combined registration for SSPR and MFA

If you are planning to deploy both SSPR and MFA within your Microsoft 365 environment, it is worth considering configuring User feature previews, which can be found in the Azure portal under Azure Active Directory | Users | User settings:

Figure 2.29 – User settings

Once you click on User settings, you will see the option for User feature previews:

Figure 2.30 – Manage user feature preview settings

When this feature is enabled, there is a single registration process for both SSPR and MFA for all users. This provides ease of administration and helps minimize user confusion. However, it is important to point out that, at the time of writing this book, the feature is still in preview.

Important note

When planning your SSPR rollout, ensure that you test it with a pilot group first. You can do this by activating SSPR for specific users, or preferably groups. Test thoroughly and diligently, and when you are ready to deploy SSPR to all your users, ensure that you communicate effectively with your users and inform them that the feature will soon be available to them.