notebookcomputer
20/12/2022
199 Views

Enable Azure AD Self-Service Password Reset

Numerous studies cite the cost of password resets. Although these studies vary widely in their findings, it’s not uncommon fora single password reset to cost around $70 or more.

One way to bring down this cost while reducing end-user frustration is to enable self-service password reset. Azure Active Directory (AD) is one of the largest systems that support this feature.Azure AD controlsuser accounts, including passwords for business staples like Microsoft 365.

Here, we’ll look at the user-friendly processes Azure AD has to offer. Let’s first delve into how to set up self-service!

Enabling Azure AD’s Self-Service Password Reset

Before you can enable self-service password reset, you’ll need tocreate a group. After this, you have to choose which users you’ll authorize for a self-service password reset, thenadd these users to the group. Once you’ve created the group, you can turn on self-service password reset for the group members. Let’s see these steps in more detail.

Great, now you have a group with users who can perform self-service password resets. How exactly do you enable this feature, though? Let’s take a look.

Now that you’ve created the necessary group, you canenable self-service password reset with these 4 steps:

During a password reset request, users need to use analternative method to prove their identity.If they don’t, they can’t reset their password. As an administrator, you’ll need tochoose how Azure AD will be able toprove a user’s identity. To do so,follow these 4 steps:

You can choose the authentication methods that you wish to allow.

The Password Reset Process

Before a user can perform a self-service password reset, they need tocomplete a registration process.The password reset sitewill ask the user for this info the first time they visit the site. For this to work, the user needs to complete the user registration.

Enable Azure AD Self-Service Password Reset

To register for a self-service password reset, a user will need tocomplete these 2 steps:

You can choose the authentication methods that you wish to allow.

When a user needs to reset their password, they can do so bycompleting these 5 steps:

Final Thoughts

Enabling self-service password reset canreduce the help desk's workloadwhile cutting down on end-user frustration. Theprocess involvescreating a group of usersandenabling self-service password resetfor that group. Users then need to complete asimple registration processbefore theycan reset their own passwords.

FAQ

Nothing is stopping you from using theAll button. As abest practice, though, it’s a good idea toavoid enabling self-service password reset for certain privileged accounts. Using theSelected optionlets you pick andchoose the accountsthat’ll have self-service password reset capabilities.

Admins are always enabled for a self-service password reset. That said, you need multi-factor authentication for password resets. Thathelps administrators to work quickly orafter hours. That’s also useful for maintenance, upgrades, or new implementation activities when third parties are involved.

If you enable self-service passwordreset for everyone,youdon’t need to create a group. That said, you may not want to give every user this capability due to organizationalsecurity policies.

By default,Azure AD requires oneauthentication methodand allows for authentication by email or mobile phone.Technically, you don’t have to make any changes, but most organizations prefer two authentication methods. They may also choose to enable methods beyond email and phone to enhance their security.

Multiple authenticationmethodsverify if the useris who they say they are. If only a single verification method is in place, then someone who has stolen a user’s smartphone could conceivably use the device to reset the user’s password.