This chapter covers Self-Service Password Reset (SSPR) in Microsoft Entra ID, a critical feature that allows users to reset their own passwords without help desk intervention. For the SC-900 exam, SSPR is a key topic under Objective 2.2 (Describe the capabilities of Microsoft Entra ID), and you can expect approximately 5-10% of questions to touch on SSPR concepts, including its licensing, authentication methods, registration, and deployment requirements. Understanding SSPR is essential because it reduces help desk costs, improves user productivity, and is a foundational component of Microsoft's identity security posture.
Jump to a section
Self-Service Password Reset (SSPR) is like a hotel that allows guests to reset their own room key if they lose it, without needing to visit the front desk. The hotel has a strict security policy: before issuing a new key, the guest must verify their identity using at least two pre-registered methods. For example, the guest might have registered their mobile phone number and a backup email address. When the guest requests a key reset, the hotel sends a one-time code to the registered phone via SMS. The guest enters that code on a secure portal. Then the hotel sends another code to the backup email. Only after both codes are verified does the hotel issue a new digital key that works for the next 24 hours. The hotel also keeps a log of all reset attempts and sends a notification to the guest's primary email about the reset. If the guest tries to reset the key too many times in an hour (say, 5 attempts), the system locks further attempts for 10 minutes. This entire process mirrors SSPR: the user registers authentication methods, then when locked out, they prove identity via those methods, and finally reset their password. The Azure AD Identity Protection service monitors for risky attempts and can block the reset if the user appears compromised.
What is Self-Service Password Reset (SSPR)?
Self-Service Password Reset (SSPR) is a feature of Microsoft Entra ID (formerly Azure Active Directory) that enables users to reset their own passwords when they are locked out or have forgotten them, without requiring administrator intervention. SSPR is part of the Microsoft Entra ID P1 or P2 licensing (or Microsoft 365 Business Premium). It is not available in the Free tier of Entra ID. The feature is designed to reduce help desk call volume—Microsoft reports that up to 50% of help desk calls are password-related—and to improve end-user productivity.
How SSPR Works: The Authentication Flow
SSPR relies on a multi-step verification process to ensure that only authorized users can reset their passwords. The flow consists of three phases: Registration, Reset, and Notification.
Registration Phase: Before a user can use SSPR, they must register authentication methods. This can be done proactively via the Microsoft Entra ID portal (https://aka.ms/ssprsetup) or enforced by an administrator. The user must register at least one authentication method, but for security, administrators typically require two methods. The available methods include:
Mobile app notification (Microsoft Authenticator)
Mobile app code (Microsoft Authenticator)
Email (to a verified alternate email)
Mobile phone (SMS or voice call)
Office phone (voice call)
Security questions (predefined questions with user-provided answers)
Security questions are less secure and are often discouraged; they require at least three questions to be registered, and the user must answer a minimum of three during reset (though the admin can configure the number).
Reset Phase: When a user is locked out or forgets their password, they navigate to the SSPR portal at https://aka.ms/sspr or from the sign-in screen (if integrated). The user enters their user ID and completes a CAPTCHA to prevent automated attacks. Then they are prompted to verify their identity using the registered methods. The administrator configures the number of verification steps required—typically one or two. The user selects an authentication method (e.g., SMS) and receives a code or notification. After successful verification, the user is allowed to set a new password. The new password must meet the organization's password policy (e.g., length, complexity, history).
Notification Phase: After a successful reset, the user receives a confirmation email or notification. Additionally, administrators can configure alerts for password reset attempts, such as sending an email to the user's manager or to a global admin.
Key Components and Defaults
Licensing: SSPR requires Microsoft Entra ID P1 or P2, or Microsoft 365 Business Premium. Free tier does not support SSPR.
Authentication Methods: Up to 10 methods can be configured per tenant. The number of methods required for reset is configurable from 1 to 2 (default is 2). Users must register at least the number of methods required for reset.
Registration: Users must register before using SSPR. Administrators can force registration by enabling the option "Require users to register when signing in" in the SSPR settings. This prompts users to register at next sign-in for 180 days (default registration validity).
Lockout: To prevent brute-force attacks, SSPR has a built-in lockout: if a user attempts to reset their password more than 5 times in 1 hour, they are locked out for 10 minutes.
Password Writeback: If the user is synchronized from on-premises Active Directory, password writeback must be enabled to write the new password back to on-premises AD. This requires Microsoft Entra Connect with password writeback enabled and a Microsoft Entra ID P1 license.
Administrator Reset: Administrators (with the appropriate role) can reset their own passwords using SSPR, but they are subject to stricter policies. For example, administrators must use two authentication methods and cannot use security questions. This is a common exam trap.
Configuration and Verification
To configure SSPR in the Azure portal: 1. Navigate to Microsoft Entra ID > Password reset > Properties. 2. Select "All" or "Selected" to enable SSPR for a group. 3. Under Authentication methods, choose the number of methods required and which methods are allowed. 4. Under Registration, set whether users are prompted to register at sign-in. 5. Under Notifications, configure alerts.
To verify SSPR is working, you can test with a user who has registered methods. Use the "Run a test" option in the SSPR blade (though this may not be available in all tenants).
Interaction with Related Technologies
Microsoft Entra ID Protection: SSPR integrates with Identity Protection to detect risky password resets. If a user's sign-in risk is high, SSPR may be blocked or require additional verification.
Conditional Access: Conditional Access policies can be applied to the SSPR registration process, such as requiring a compliant device or location.
Password Protection: SSPR respects the banned password list (global and custom) to prevent users from setting weak passwords.
Microsoft Entra Connect: For hybrid environments, password writeback synchronizes the new password to on-premises AD, ensuring consistency.
Common Exam Traps
Free tier does not support SSPR. A common wrong answer is that SSPR is available in all tiers.
Administrators must use two methods and cannot use security questions. Many candidates think admins can use the same methods as users.
SSPR does not require a license for every user? Actually, every user who uses SSPR must be licensed with Entra ID P1 or P2.
Password writeback requires Microsoft Entra Connect and a P1 license. Candidates often forget the licensing requirement.
Step-by-Step SSPR User Flow
User attempts to sign in but fails – The user enters wrong password multiple times until they see the "Reset password" link on the sign-in screen.
User clicks the link and is redirected to SSPR portal – The user enters their user ID and completes a CAPTCHA.
User verifies identity using registered method – The user selects an authentication method (e.g., SMS) and receives a code. They enter the code.
User sets a new password – The new password must meet policy. The password is saved and, if writeback is enabled, written to on-premises AD.
User receives confirmation – An email or notification is sent confirming the reset.
Configuration Steps for Administrator
Enable SSPR – In Microsoft Entra ID, go to Password reset > Properties. Choose "All" or "Selected" group.
Configure authentication methods – Under Authentication methods, select the number of methods required (1 or 2) and which methods are allowed.
Configure registration – Under Registration, set "Require users to register when signing in" to Yes. This forces users to register within 180 days.
Configure notifications – Under Notifications, enable or disable user notifications and admin alerts.
Test SSPR – Use a test user who has registered methods to ensure the flow works.
Verifying SSPR with PowerShell
You can check SSPR settings using the Microsoft Graph PowerShell module:
Connect-MgGraph -Scopes "Policy.Read.All"
Get-MgPolicyAuthenticationMethodPolicy -ExpandProperty "authenticationMethodConfigurations"To check password reset settings:
Get-MgPolicyAuthenticationMethodPolicy | Select-Object -ExpandProperty AuthenticationMethodConfigurations | Where-Object {$_.Id -like "*password*"}Note: The exact cmdlets may change; always refer to current documentation.
Troubleshooting Common Issues
User cannot see SSPR link – Ensure SSPR is enabled for the user's group and that the user has a license.
User cannot register – Check that registration is enabled and the user has access to the registration portal.
Password writeback fails – Verify that Microsoft Entra Connect is configured with password writeback and that the on-premises AD permissions are correct.
Lockout – If a user is locked out, wait 10 minutes (or reset the lockout via PowerShell).
Security Considerations
SSPR should be enabled with at least two methods for security.
Avoid using security questions due to their weaker security.
Enable notifications to alert users and admins of resets.
Integrate with Identity Protection to block resets from risky sessions.
Use Conditional Access to require MFA during SSPR registration.
Licensing Details
Microsoft Entra ID P1: SSPR, password writeback, and basic security reports.
Microsoft Entra ID P2: All P1 features plus Identity Protection and Privileged Identity Management.
Microsoft 365 Business Premium: Includes Entra ID P1 and SSPR.
Free: No SSPR.
Exam Tips
Remember that SSPR is not available in Free tier.
Administrators cannot use security questions for SSPR.
Password writeback requires Microsoft Entra Connect and P1 licensing.
The default number of authentication methods required is 2.
SSPR lockout is 5 attempts in 1 hour, then locked for 10 minutes.
Users must register before first use; administrators can force registration.
Summary
SSPR is a powerful feature that reduces help desk load and improves user experience. It requires proper licensing, configuration, and user registration. It integrates with on-premises AD via password writeback and with Identity Protection for risk-based access. The SC-900 exam will test your understanding of licensing, authentication methods, and the registration process. Focus on the differences between user and administrator SSPR, and the prerequisites for password writeback.
Enable SSPR in tenant
The administrator navigates to Microsoft Entra ID > Password reset > Properties. They select either 'All' to enable for all users, or 'Selected' to enable for a specific group. This step is the prerequisite for any SSPR functionality. Without enabling SSPR, users will not see the reset link on the sign-in page. The administrator can also configure whether SSPR is enabled for administrators (by default, administrators are included when 'All' is selected). Note: Even if SSPR is enabled for all, users must still register authentication methods.
Configure authentication methods
Under Authentication methods, the administrator sets the number of methods required for reset (1 or 2) and selects which methods are allowed. The default is 2 methods. Available methods include mobile app notification, mobile app code, email, mobile phone, office phone, and security questions. For administrators, security questions are not allowed. The administrator must also configure the number of questions required if using security questions (minimum 3). This step determines the user experience during password reset.
Configure registration settings
The administrator sets registration options: whether to require users to register when signing in, and the number of days before re-registration is required (default 180 days). If enabled, users are prompted to register at their next sign-in. The registration portal is at https://aka.ms/ssprsetup. The administrator can also set the number of authentication methods the user must register (default is 2). This step ensures users have methods available before they need to reset.
Set up notifications
The administrator configures notifications: whether to notify users on password reset (default on), and whether to notify all global administrators when other admins reset their passwords (default off). These notifications are sent via email. Additionally, the administrator can enable custom helpdesk email or phone number to be displayed on the SSPR portal. This step helps with security awareness and user support.
Test SSPR with a user
The administrator should test SSPR by using a test user who has registered authentication methods. The user goes to https://aka.ms/sspr or clicks the reset link on the sign-in page. They enter their user ID, complete CAPTCHA, verify their identity using registered methods, then set a new password. The administrator can monitor the reset in the audit logs. Common issues include users not having registered methods or license, or password writeback failures.
In a typical enterprise deployment, SSPR is rolled out to reduce help desk costs. For example, Contoso Corporation with 10,000 employees deploys SSPR for all users with two-factor authentication: mobile app notification and a backup email. They require users to register during their next sign-in. The help desk sees a 40% reduction in password-related calls within three months. However, they faced initial resistance from users who did not want to install the Microsoft Authenticator app. To mitigate this, they allowed SMS as an alternative method for the first 90 days, then phased it out. They also integrated SSPR with on-premises Active Directory via password writeback, which required upgrading to Microsoft Entra Connect and ensuring the service account had proper permissions. A common issue they encountered was that users who were not licensed for Entra ID P1 could not use SSPR, causing confusion. They resolved this by assigning P1 licenses to all users via group-based licensing. Another scenario is a university with 50,000 students. They enabled SSPR for students but used security questions (three questions) as the primary method due to the lack of mobile devices. However, they found that students often forgot their answers, leading to lockouts. They eventually switched to email verification using the university-issued email address. In production, performance is rarely an issue, but lockouts can occur if users attempt resets too frequently. The default lockout of 5 attempts per hour is usually sufficient. Misconfigurations often include forgetting to enable password writeback for hybrid environments, which causes the new password to be set only in the cloud, leaving on-premises AD out of sync. Also, administrators sometimes forget to register their own methods, then are unable to use SSPR themselves. Best practice is to require all administrators to register methods during onboarding.
The SC-900 exam tests SSPR under Objective 2.2: Describe the capabilities of Microsoft Entra ID. Specifically, you should know: (1) Licensing requirements: SSPR requires Microsoft Entra ID P1 or P2, or Microsoft 365 Business Premium. Free tier does NOT support SSPR. (2) Authentication methods: The allowed methods are mobile app notification, mobile app code, email, mobile phone, office phone, and security questions. For administrators, security questions are NOT allowed. (3) Number of methods: The default number of methods required for reset is 2, but can be set to 1. (4) Registration: Users must register before using SSPR; administrators can force registration at next sign-in. (5) Password writeback: Requires Microsoft Entra Connect and a P1 license. (6) Lockout: 5 attempts in 1 hour, then locked for 10 minutes. Common wrong answers: Choosing 'Free tier supports SSPR' or 'Administrators can use security questions'. Another trap: 'SSPR requires a separate license for each user' – actually, each user must be licensed with Entra ID P1 or P2, but it's not an additional license. Also, 'Password writeback is automatic' – it requires configuration. The exam may present a scenario where a user cannot reset their password; the answer often involves missing license or registration. Edge cases: SSPR for administrators is always enabled when SSPR is enabled for all, but administrators are subject to a stricter policy (two methods, no security questions). Also, SSPR can be disabled for administrators separately. The exam might ask about the difference between SSPR and Identity Protection: SSPR is about resetting passwords, while Identity Protection is about detecting risks. Another edge: SSPR does not require Azure AD Premium P2; P1 is sufficient. Finally, remember that SSPR is part of Entra ID, not a separate service.
SSPR requires Microsoft Entra ID P1 or P2 (or Microsoft 365 Business Premium) license for each user.
The default number of authentication methods required for SSPR is 2.
Administrators cannot use security questions for SSPR; they must use two methods such as mobile app and phone.
Password writeback to on-premises AD requires Microsoft Entra Connect with password writeback enabled and a P1 license.
SSPR lockout: 5 failed attempts in 1 hour results in a 10-minute lockout.
Users must register authentication methods before using SSPR; administrators can force registration at next sign-in.
SSPR is not available in the Free tier of Microsoft Entra ID.
SSPR can be integrated with Identity Protection to block resets from risky sessions.
These come up on the exam all the time. Here's how to tell them apart.
SSPR with Two Methods Required
Higher security: requires two different authentication methods (e.g., SMS and email).
Default configuration in Microsoft Entra ID.
Reduces risk of unauthorized resets if one method is compromised.
May cause more friction for users who need to have multiple methods available.
Recommended for organizations with strict security requirements.
SSPR with One Method Required
Lower security: only one authentication method needed (e.g., mobile app code).
Less user friction: users only need one method to reset.
Higher risk: if that single method is compromised, an attacker can reset the password.
Can be configured by setting 'Number of methods required to reset' to 1.
Suitable for low-risk environments or as a temporary measure.
Mistake
SSPR is available in all editions of Microsoft Entra ID, including Free.
Correct
SSPR is only available in Microsoft Entra ID P1 or P2, or Microsoft 365 Business Premium. The Free tier does not support SSPR.
Mistake
Administrators can use the same authentication methods as regular users, including security questions.
Correct
Administrators cannot use security questions for SSPR. They must use two methods, and security questions are not allowed for admin accounts.
Mistake
Password writeback happens automatically when SSPR is enabled.
Correct
Password writeback requires Microsoft Entra Connect to be configured with password writeback enabled, and the tenant must have Microsoft Entra ID P1 or P2 licenses.
Mistake
Users can reset their password without registering any authentication methods first.
Correct
Users must register at least one (typically two) authentication methods before they can use SSPR. Registration can be enforced by the administrator.
Mistake
SSPR lockout is permanent until an administrator unlocks the account.
Correct
SSPR lockout is temporary: after 5 failed attempts in 1 hour, the user is locked out for 10 minutes, after which they can try again.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
SSPR requires a Microsoft Entra ID P1 or P2 license for each user who will use the feature. It is also included in Microsoft 365 Business Premium. The Free tier of Entra ID does not support SSPR. For hybrid environments, password writeback also requires a P1 license.
No, administrators cannot use security questions for SSPR. They must use two authentication methods, and security questions are not allowed. The allowed methods for administrators include mobile app notification, mobile app code, email, mobile phone, and office phone.
To enable password writeback, you must have Microsoft Entra Connect installed with the password writeback feature enabled. Additionally, your tenant must have Microsoft Entra ID P1 or P2 licenses. Once configured, when a user resets their password via SSPR, the new password is written back to the on-premises Active Directory.
SSPR has a built-in lockout mechanism. If a user attempts to reset their password more than 5 times within 1 hour, they are locked out from further attempts for 10 minutes. After the lockout period, they can try again. This prevents brute-force attacks.
Yes, users must register at least one authentication method (typically two) before they can use SSPR. Administrators can enforce registration by enabling the option 'Require users to register when signing in' in the SSPR settings. Users will then be prompted to register at their next sign-in.
Yes, if you have a hybrid environment with Microsoft Entra Connect and password writeback enabled, users can reset their on-premises passwords via SSPR. The new password is written back to on-premises AD, ensuring synchronization.
The available methods are: mobile app notification (Microsoft Authenticator), mobile app code, email (to a verified alternate email), mobile phone (SMS or voice call), office phone (voice call), and security questions. However, security questions are not allowed for administrators.
You've just covered Self-Service Password Reset (SSPR) — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?