Self-Service Password Reset (SSPR) is a critical identity governance feature in Azure Active Directory that allows users to reset their own passwords without administrator intervention. This chapter covers SSPR architecture, configuration requirements, authentication methods, and integration with on-premises environments—all key topics for the AZ-104 exam. Approximately 10-15% of the 'Manage Identies and Governance' domain (Objective 1.1) involves SSPR, and questions often test your knowledge of licensing, number of required methods, and writeback requirements.
Jump to a section
Imagine a large office building where every employee has a personal locker but sometimes forgets the combination. The building has a self-service kiosk at the entrance. To reset a locker combination, the employee must first prove identity using two pieces of information: a photo ID and a personal PIN known only to them (the first authentication gate). Once verified, the kiosk displays a list of registered verification methods—like a mobile phone number or a personal email—that the employee had previously enrolled. The employee selects 'send SMS,' and the kiosk generates a one-time code sent to that phone. The employee enters the code at the kiosk (the second gate). Only after both gates are passed does the kiosk allow the employee to set a new combination for the locker. The kiosk logs every attempt with timestamps and outcome. If the employee tries to use a method not previously registered (e.g., a new phone number), the kiosk rejects the request. The system ensures that even if someone steals the employee's badge, they cannot reset the locker without also possessing the registered phone. This mirrors SSPR: the user must first authenticate (often with Azure AD credentials), then prove additional verification methods that were pre-configured before the reset request. The password reset itself is only allowed after both authentication and verification succeed.
What is SSPR and Why It Exists
Self-Service Password Reset (SSPR) is an Azure Active Directory (Azure AD) feature that enables end users to reset their forgotten passwords or unlock their accounts without needing to contact a helpdesk. From an administrative perspective, it reduces support costs, improves user productivity, and enforces security by requiring multi-factor authentication (MFA) during the reset process. SSPR is part of Azure AD's Identity Governance suite and is configured under the 'Password reset' blade in the Azure portal.
The exam expects you to understand that SSPR is not a standalone product but a feature that requires Azure AD Premium P1 or P2 licensing for users. Free tier Azure AD tenants can only enable SSPR for cloud users (not on-premises synced users) and with limited authentication methods. For on-premises users to reset their passwords via SSPR, you must also deploy Azure AD Connect with password writeback enabled.
How SSPR Works Internally
When a user initiates a password reset, the following sequence occurs:
User navigates to the SSPR portal – The user goes to https://passwordreset.microsoftonline.com or clicks 'Can't access your account?' on a Microsoft sign-in page.
User enters their User ID – The portal identifies the user's tenant and checks if SSPR is enabled for that user.
CAPTCHA challenge – A CAPTCHA is presented to prevent automated attacks.
Authentication gate 1: User verification – The user must answer security questions or provide a one-time passcode sent to a registered method (e.g., email, phone). The number of gates (1 or 2) is configurable.
Authentication gate 2 (if configured) – A second method is required (e.g., mobile phone call + office phone call).
Password reset – After passing all gates, the user can set a new password that meets the tenant's password policy.
Password writeback (if enabled) – For hybrid users, the new password is written back to on-premises Active Directory via Azure AD Connect.
The entire process is logged in the Azure AD Audit logs, and administrators can monitor usage via the 'Password reset' reports.
Key Components, Values, Defaults, and Timers
Licensing: SSPR requires Azure AD Premium P1 or P2 for all users who will use it. The free tier only supports cloud users with limited methods (no writeback).
Authentication methods:
Mobile phone (SMS or voice call)
Office phone (voice call)
Email (OTP sent to alternate email)
Security questions (predefined or custom, minimum 3 required for registration, 5 for reset)
App notification or code (Microsoft Authenticator)
FIDO2 security keys (Azure AD joined devices only)
Number of methods required: By default, users must register at least 2 authentication methods. For reset, administrators can require 1 or 2 methods (the 'Number of methods required to reset' setting).
Lockout timers: If a user attempts SSPR too many times (default 10 attempts within 30 minutes), they are locked out for 1 hour.
Registration: Users can pre-register their methods at https://aka.ms/ssprsetup. Administrators can also bulk register via PowerShell.
Notifications: Administrators can configure notifications to be sent when a password is reset (to the user and/or to admins).
Customization: The SSPR page can be branded with company logo and custom helpdesk link.
Configuration and Verification
To enable SSPR for a group of users:
In Azure portal, go to 'Azure Active Directory' > 'Password reset'.
Select 'All' or 'Selected' for 'Self-service password reset enabled'.
Choose authentication methods and number of gates.
Configure notifications and customization.
For hybrid environments, enable password writeback:
In Azure AD Connect, select 'Customize synchronization options'.
Check 'Password writeback' under 'Optional features'.
Complete the wizard and ensure the service account has proper permissions (default: the ADSync account is granted permissions automatically).
Verification commands:
To check writeback status: Get-ADSyncGlobalSettings | ? {$_.Name -eq 'PasswordWriteback'}
To force a sync: Start-ADSyncSyncCycle -PolicyType Delta
To test SSPR as a user: navigate to https://passwordreset.microsoftonline.com and attempt a reset.
Interaction with Related Technologies
Azure AD Identity Protection: SSPR can be integrated with risk-based policies. For example, if a user is at high risk, they may be required to reset their password via SSPR.
Conditional Access: SSPR can be protected by Conditional Access policies (e.g., require MFA to access the password reset portal).
Azure AD Connect: Password writeback is the bridge between SSPR and on-premises AD. Without it, synced users can reset their cloud password but the on-premises password remains unchanged, causing sync failures.
Microsoft Graph API: Administrators can manage SSPR settings programmatically via the Graph API (beta endpoint).
Exam Traps
MFA vs. SSPR: MFA is a separate feature but often used together. SSPR does not inherently require MFA, but you can configure it to require MFA via Conditional Access.
License requirement: All users using SSPR must have a license (Premium P1/P2). The tenant itself does not need to be Premium; only the users.
Writeback permissions: The Azure AD Connect service account must have 'Reset password' permission on the on-premises AD. This is granted automatically during setup, but if you change the service account, you must re-grant.
Security questions: They are stored insecurely (hashed) and are not recommended for sensitive environments. The exam may ask about the minimum number of questions required for registration (3) and reset (5).
Step-by-Step SSPR Flow
User initiates reset – User clicks 'Forgot password' on a Microsoft login page or navigates to the SSPR portal. The portal checks the tenant's SSPR policy.
User enters user ID – The portal identifies the user's domain and determines if SSPR is enabled. If not enabled, the user sees a message to contact the admin.
CAPTCHA verification – A CAPTCHA is presented to prevent bot attacks. The user must complete it successfully.
Authentication gate 1 – The user is prompted to provide one of the registered authentication methods (e.g., send SMS to mobile phone). The portal sends a one-time passcode (OTP) via the chosen method.
User enters OTP – The user enters the received OTP. The portal validates it. If incorrect, the user can retry up to the lockout threshold.
Authentication gate 2 (if required) – If the policy requires two methods, the user must complete a second method (e.g., answer security questions).
Password reset – After successful verification, the user can enter a new password. The portal checks complexity requirements (length, character types, not in banned password list).
Writeback (if enabled) – For hybrid users, the new password is sent to Azure AD Connect, which writes it to on-premises AD. The writeback is synchronous from the user's perspective; the password is updated in both directories.
Confirmation – The user sees a success message and can sign in with the new password. An email notification may be sent to the user and/or admin.
User Initiates SSPR
The user navigates to https://passwordreset.microsoftonline.com or clicks 'Can't access your account?' on a Microsoft sign-in page. The portal determines the tenant's SSPR policy by checking the tenant ID from the user's domain. If SSPR is not enabled for the user (e.g., not licensed or not in the enabled group), the portal displays a message to contact the administrator. This step also includes a CAPTCHA to prevent automated attacks.
User Enters User ID
The user enters their User Principal Name (UPN) or email. The portal looks up the user in Azure AD and retrieves their registered authentication methods and the tenant's SSPR configuration. If the user is not found or SSPR is disabled for them, the process stops. The portal also checks if the user's identity is federated (AD FS) or managed; for federated users, the portal may redirect to the on-premises password reset service if configured.
Authentication Gate 1
The user must prove identity using a pre-registered method. Common methods include: mobile phone (SMS or voice call), office phone (voice call), alternate email (OTP), or Microsoft Authenticator app notification/code. The portal sends a one-time passcode (OTP) via the selected method. The user must enter the OTP correctly. If the user fails multiple times (default 10 attempts within 30 minutes), they are locked out for 1 hour.
Authentication Gate 2 (Optional)
If the administrator configured SSPR to require two authentication methods, the user must complete a second gate after the first. This could be a different method (e.g., after SMS, answer security questions). The same lockout logic applies. Two gates provide stronger security, especially for privileged accounts. The exam often tests that you can configure 1 or 2 gates, and that the default is 1.
Password Reset and Writeback
After passing all gates, the user can enter a new password. The portal validates it against the tenant's password policy (length, complexity, banned passwords). If password writeback is enabled via Azure AD Connect, the new password is synchronously written to on-premises AD. The Azure AD Connect service uses the 'Reset password' permission on the user object. If writeback fails (e.g., network issue), the user gets an error and must retry. A success notification is displayed, and the user can sign in immediately.
In a large enterprise with 50,000 employees, SSPR reduces helpdesk calls by up to 60%. For example, a global company with offices in multiple time zones deploys SSPR for all users licensed with Azure AD Premium P1. They configure two authentication methods required for reset: mobile phone (SMS) and security questions. Users are forced to register during their next sign-in via the 'Registration' policy. The company also enables password writeback for all on-premises synced users, requiring Azure AD Connect to be installed on a domain-joined server with the service account granted 'Reset password' permissions on each domain.
Another scenario: a healthcare provider uses SSPR with Conditional Access to require MFA when accessing the SSPR portal from untrusted networks. They also integrate with Azure AD Identity Protection to force password reset for users with high risk scores. They use Microsoft Authenticator as the primary method and office phone as secondary. They set notifications to alert the security team when a reset occurs for privileged accounts (e.g., domain admins).
Common misconfigurations: forgetting to assign licenses to all users (only some can use SSPR), not enabling writeback for hybrid users (cloud password reset succeeds but on-premises password remains old, causing sync errors), and setting too few authentication methods (users cannot register if only one method is available). Performance: SSPR is a cloud service with no on-premises infrastructure except Azure AD Connect for writeback. Writeback latency is typically under 30 seconds but can be longer during sync cycles. Lockout is per user and resets after 1 hour. The portal can handle thousands of simultaneous resets without issue.
When misconfigured, the most common problem is that users cannot reset because they never registered methods. Administrators must either force registration via policy or bulk register methods using PowerShell. Another issue: if the Azure AD Connect service account lacks permissions, writeback fails silently; the user sees success but cannot log in on-premises. Monitoring via Azure AD Connect Health is essential.
The AZ-104 exam tests SSPR under Objective 1.1 'Manage identities and governance in Azure AD'. Specific sub-objectives include: configure self-service password reset (SSPR), configure authentication methods for SSPR, and implement password writeback. Expect 2-4 questions on SSPR.
Common wrong answers: 1. 'SSPR requires Azure AD Premium P2' – Wrong, P1 or P2 is sufficient. 2. 'Password writeback is automatic with Azure AD Connect' – Wrong, it must be explicitly enabled during setup or via the wizard. 3. 'You can require 1 or 2 authentication methods for registration' – Wrong, registration always requires at least 2 methods; the configurable number is for reset. 4. 'SSPR works for federated users without any extra configuration' – Wrong, federated users need password writeback to update on-premises password, or they must use on-premises reset.
Key numbers:
Minimum methods for registration: 2
Minimum methods for reset: 1 (default) or 2 (configurable)
Default lockout: 10 bad attempts in 30 minutes, lockout duration 1 hour
Security questions: minimum 3 for registration, 5 for reset
License: Azure AD Premium P1 or P2 per user
Edge cases:
If a user has only one registered method and the policy requires two gates, the user cannot reset. The portal will show an error.
SSPR does not work for guest users (B2B) unless they have a license in the resource tenant.
Password writeback requires Azure AD Connect version 1.1.614.0 or later.
SSPR can be enabled for 'All' users (including guests) or 'Selected' group(s). If 'None', SSPR is disabled.
How to eliminate wrong answers:
If the question mentions 'on-premises password change' and 'Azure AD Connect', look for 'password writeback' in the options.
If the question asks about 'minimum number of methods for registration', the answer is 2, not 1.
If the question involves 'federated users', remember that SSPR can still work if writeback is enabled and the user is not redirected to AD FS (depends on configuration).
Always check licensing: if a user needs SSPR, they need a Premium license.
SSPR requires Azure AD Premium P1 or P2 license per user.
Users must register at least 2 authentication methods; reset can require 1 or 2.
Password writeback must be explicitly enabled in Azure AD Connect for hybrid users.
Default lockout: 10 failed attempts in 30 minutes, lockout for 1 hour.
Security questions: minimum 3 for registration, 5 for reset.
SSRP portal URL: https://passwordreset.microsoftonline.com.
Federated users can use SSPR only if password writeback is enabled and not redirected to on-premises.
These come up on the exam all the time. Here's how to tell them apart.
SSPR with 1 Gate
Faster user experience – only one verification step required.
Lower security – single factor of authentication.
Default configuration for SSPR.
Suitable for low-risk environments or non-privileged users.
Reduces helpdesk calls but may be insufficient for compliance.
SSPR with 2 Gates
Stronger security – requires two different authentication methods.
Slower user experience – two verification steps.
Must be explicitly configured by administrator.
Recommended for privileged roles or sensitive data.
Meets higher compliance requirements (e.g., NIST 800-63).
Mistake
SSPR is only available with Azure AD Premium P2.
Correct
SSPR is available with Azure AD Premium P1 or P2. The free tier offers limited SSPR for cloud-only users but with fewer authentication methods and no writeback.
Mistake
Password writeback is enabled by default when you install Azure AD Connect.
Correct
Password writeback is an optional feature that must be explicitly selected during Azure AD Connect installation or enabled later via the wizard. It is not automatic.
Mistake
Users must register exactly the number of methods required for reset.
Correct
Users must register at least two authentication methods regardless of the number required for reset. They can register more. The 'Number of methods required to reset' setting only applies to the reset process, not registration.
Mistake
SSPR works for guest users without additional licensing.
Correct
Guest users (B2B) can use SSPR only if they have an Azure AD Premium license assigned in the resource tenant. The free tier does not cover guests.
Mistake
Security questions are stored encrypted and are secure.
Correct
Security questions are stored as a SHA256 hash of the answer, which is relatively weak. Microsoft recommends using more secure methods like mobile phone or Microsoft Authenticator.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
SSPR requires Azure AD Premium P1 or P2 license assigned to each user who will use the feature. Free tier allows limited SSPR for cloud-only users with fewer methods and no writeback. For hybrid environments, Premium is required.
During Azure AD Connect installation, select 'Customize' and check 'Password writeback' under Optional Features. If already installed, run the wizard again and enable it. The service account needs 'Reset password' permission on the on-premises AD user objects.
Yes, if password writeback is enabled and the user's authentication method does not redirect to on-premises. If the user is redirected to AD FS for password reset, the on-premises reset process takes precedence.
The user is locked out for 1 hour after 10 failed attempts within 30 minutes. The lockout is per user and tracked by Azure AD. After the lockout period, the user can try again.
Go to Azure AD > Password reset > Registration, and set 'Require users to register when signing in' to Yes. Users will be prompted to register during their next Azure AD sign-in. They can also register at https://aka.ms/ssprsetup.
Available methods: mobile phone (SMS/voice), office phone (voice), alternate email (OTP), security questions, Microsoft Authenticator app (notification/code), and FIDO2 security keys (for Azure AD joined devices).
Yes, but only if the guest user has an Azure AD Premium license assigned in the resource tenant. Without a license, SSPR is not available for guests.
You've just covered Self-Service Password Reset (SSPR) — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?