How to Enable Self-Service Password Reset (SSPR) in Microsoft 365 Print

Overview

Self-Service Password Reset (SSPR) allows users to reset their own Microsoft 365 passwords without contacting an administrator. This guide covers enabling and configuring SSPR from the Microsoft 365 and Azure Active Directory admin portals.

Prerequisites

• Microsoft 365 Global Administrator or Authentication Policy Administrator access
• Microsoft 365 Business Premium, or an Azure AD P1/P2 license (required for SSPR on specific groups)

Step 1 - Access the Azure Active Directory Portal

1. Log in to the Microsoft 365 Admin Center at admin.microsoft.com
2. In the left-hand menu, expand Admin Centers
3. Click Azure Active Directory

Step 2 - Navigate to SSPR Settings

1. In the Azure AD portal, select Azure Active Directory from the left-hand menu
2. Scroll down and click Password Reset

Step 3 - Enable SSPR

1. Under the Properties tab, locate the Self Service Password Reset Enabled setting
2. Select one of the following options:
   • None - SSPR is disabled for all users
   • Selected - SSPR is enabled for a specific group only (recommended for phased rollouts)
   • All - SSPR is enabled for all users in the tenant
3. If you selected Selected, click the group selector and choose the target group
4. Click Save

Step 4 - Configure Authentication Methods

1. Click the Authentication Methods tab
2. Set the Number of methods required to reset to 1 or 2 depending on your security requirements
3. Enable the desired verification methods:
   • Mobile app notification
   • Mobile app code
   • Email
   • Mobile phone
   • Office phone
   • Security questions (not recommended for high-security environments)
4. Click Save

Step 5 - Configure Registration Settings

1. Click the Registration tab
2. Set Require users to register when signing in to Yes to prompt users to set up their authentication methods on next login
3. Set the Number of days before users are asked to re-confirm their authentication information (180 days is a common standard)
4. Click Save

Step 6 - Configure Notifications (Optional)

1. Click the Notifications tab
2. Set Notify users on password resets to Yes
3. Set Notify all admins when other admins reset their password to Yes
4. Click Save

Step 7 - Verify SSPR is Working

1. Open a private/incognito browser window
2. Go to aka.ms/sspr
3. Enter a test user's email address and complete the reset flow to confirm it is functioning correctly

Notes

• Users must register their authentication methods before they can use SSPR - this happens automatically on next sign-in if registration is enforced in Step 5
• SSPR writeback to on-premises Active Directory requires Azure AD P1/P2 and the AD Connect writeback feature to be enabled
• Security questions are not recommended for business environments due to their lower security profile
• The SSPR portal for end users is always available at aka.ms/sspr