Office 365 self-service password reset license requirements
SSPR is the Self-Service Password Rest Portal for the Office 365 Users. It enables users to reset the accounts and enables users to unblock their accounts without reaching IT Team. It helps to increase the productivity. Show
In the past, On-premise closed environment, If user accounts locked, they need to reach their IT team to unlock their account. It is time consuming process and if users are sitting outside Corporate network and not connected in the VPN Network, they can’t change their passwords/reset their passwords. It is always big challenge for the IT team. To come across this issue, IT team should setup internet facing Password resetting portal for the end users. Again, there are multiple challenges. Why do we need SSPR?SSPR is Azure Based Portal Solution and it is easy to setup and users can reset their passwords without any issues or reaching Supporting Teams. Prerequisites for the SSPR?License Requirement
Azure AD Basic, Premium P1 or P2, or Microsoft 365 Business.
Hybrid Environment Requirements
Things to know before enabling SSPR?
Changing/Resetting passwords of administrators
Security Concerns?
Supported writeback operationsPasswords are written back in all the following situations:
From Unsupported writeback operationsPasswords are not written back in any of the following situations:
From Must Not DO?
From Pre-Register Authentication Data for SSPRBefore we begin to enable SSPR, we need to consider setting up few mandatory requirements for the SSPR
Authentication methodsLogin to https://Portal.azure.com –>Azure Active Directory–>Users –>Password reset – Authentication methods Select the Number of methods required to reset Methods available to users, Number of Questions required to register Number of questions required to reset Select the 5 Security questions Select Predefined Questions or create custom questions based on the organization recommendations RegistrationLogin to https://Portal.azure.com –>Azure Active Directory–>Users–> Password reset –>Registration This is for the reconfirm the user authentication requirements select anything between 90-180 Days NotificationsLogin to https://Portal.azure.com –>Azure Active Directory –>Notifications Notify users on password resets- Yes to intimate users when the reset the passwords Notify all admins when other admins reset their password – Yes to intimate users when other administrators reset password. CustomizationLogin to https://Portal.azure.com –>Azure Active Directory –>Users –>Password reset –>Customization Set the helpdesk Support URL for the support in case any issues On-premises integrationLogin to https://Portal.azure.com –> Azure Active Directory –>Users –>Password reset–> On-Premises integration Enabling SSPR for Pilot UsersIt is always good to test it with small set of people before enabling for the complete users. It will help us to validate each option carefully.
Once Security group created and pilot users added, Login to https://Portal.azure.com –> Azure Active Directory –>Users –>Password reset Properties Select Selected and Select the Group Created. Testing SSPRRegistering for SSPR
Now user has successfully completed the SSPR Setup Resetting Password Using SSPRTo reset password Login to, https://aka.ms/sspr or https://passwordreset.microsoftonline.com/ Enter the User ID and characters displayed to begin the password reset, User has to verify two options to reset the password, it is up to users to select any of the two options allowed by administrators User has verified 2 options, now user can enter new password to reset It will validate the Password policies defined tenant level. Post verified enter new password. User will get a notification How to Successfully deploy SSPRCommunications plan
Sample Mailer, Testing planTo ensure that your deployment works as expected, you should plan out a set of test cases you will use to validate the implementation. The following table includes some useful test scenarios you can use to document your organizations expected results based on your policies. For more details — https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment#testing-plan ImplementationImplementation occurs in three stages:
Communicate the changeBegin implementation of the communications plan that you developed in the planning phase Ensure groups are created and populatedReference the Planning password authentication methods section and ensure the group(s) for the pilot or production implementation are available, and all appropriate users are added to the groups. Apply licensesThe groups you are going to implement must have the Azure AD premium license assigned to them. You can assign licenses directly to the group, or you can use existing license policies such as through PowerShell or Group-Based Licensing. Configure SSPRFor More Details from Microsoft SSPR https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment#configure-sspr What license is required for SSPR?If you are planning for SSPR for Cloud users, then you will need to have an Azure AD Basic, Premium P1 or P2, or a Microsoft 365 Business subscription. If you are synchronizing your users from your on-premises Active Directory, then you will need an Azure AD Premium P1 or P2 or a Microsoft 365 Business subscription.
Is selfBasic SSPR features are available in Microsoft 365 Business Standard or higher and all Azure AD Premium SKUs at no cost.
What is the minimum Azure AD license required to implement selfA working Azure AD tenant with at least an Azure AD free or trial license enabled. In the Free tier, SSPR only works for cloud users in Azure AD. Password change is supported in the Free tier, but password reset is not.
What users can use selfAdmin accounts are enabled for SSPR by default, also they have to use 2 authentication methods to be able to reset their password. So, the policy for administrators can be different from the one defined for your end users. Administrators cannot use the security questions as an authentication factor.
|