Security Tip: Enable Azure AD Self-Service Password Reset

Helpdesk-assisted password resets can account for 20% of an organization’s IT budget, but in the past, required the use of third-party software for Active Directory that could be difficult to set up and maintain. In this article, I’ll show you how to enable self-service password resets for Azure AD users only. While it’s beyond the scope of this article, a self-service password reset in Azure AD can also be extended to On-premise AD users.

Azure AD users can reset their own passwords if they have been assigned a paid Office 365 or Azure AD Basic (or Premium) license. Additionally, cloud-only administrators can reset their own passwords on Azure AD Free. Any other scenario—such as when On-premise AD is synchronized or federated with Azure AD—requires Azure AD Premium licenses.

Configuring Self-Service Password Reset Policy

Before users can take advantage of the self-service password reset, an administrator needs to enable the password reset policy in Azure AD. You will need to have at least one Azure AD directory set up to complete the below steps:

  • Log in to the Azure classic portal here with a cloud administrator account.
  • In the Azure management portal, click ACTIVE DIRECTORY in the list of options to the left.
  • Click the directory you want to modify from the list of available directories to the right.
  • Select CONFIGURE at the top of the portal.
  • Scroll down to user password reset policy, and toggle USERS ENABLED FOR PASSWORD RESET to YES.
  • The RESTRICT ACCESS TO PASSWORD RESET OPTION can be set to YES, in which case you must specify an Azure AD group in the GROUP ENABLED FOR PASSWORD RESET field.

Users must have one or more authentication methods configured for their Azure AD account—an alternate email address, or phone number, for example—before they can use the self-service password reset.

If all of the settings are selected correctly, your user password reset policy window should look like the following:

Enabling Self-Service Password Resets

When the policy settings are configured, you can enable self-service password resets for your Azure AD users through five simple steps:

  1. Check the authentication methods you want to allow to the right of AUTHENTICATION METHODS AVAILABLE TO USERS. You can select from Office Phone, Mobile Phone, Alternate Email Address, and Security Questions.
  2. The number of authentication methods required can be set by changing the number in the NUMBER OF AUTHENTICATION METHODS REQUIRED dropdown menu.
  3. If you don’t want to manually configure authentication methods for each user, you can redirect them to a website where they can register their own authentication methods. Set REQUIRE USERS TO REGISTER WHEN SIGNING IN? to YES if you want to redirect users.
  4. By default, users will not be asked to reconfirm their authentication methods for 180 days, but you can change this number in the NUMBER OF DAYS BEFORE USERS ARE ASKED TO RECONFIRM THEIR AUTHENTICATION INFORMATION field.
  5. Finally, click SAVE at the bottom of the portal window.

By following the steps in this article, your Azure AD users will be able to take advantage of the self-service password reset while staying compliant with the security policies your organization establishes.

Try my previous tip on Azure AD to learn where to find information about Azure AD sign in activity.