Imagine the scenario: your employee is scrambling to meet a deadline for your most important customer, but when they try to log into their account they realise they’ve forgotten their password.
Unfortunately, your Azure AD admin is in a completely different timezone and they’re currently asleep in bed. There’s no way for the employee to reset their password, and zero chance of them meeting their deadline.
Even if this worst case scenario hasn’t happened to you, password resets are costing your business time and money. It’s estimated that the average employee wastes 11 hours every single year navigating complicated password reset procedures, potentially costing your business $5.2 million per year, in terms of lost productivity.
By simplifying and automating the password reset process, you can reclaim hours of lost time every single week, and reduce your IT help desk calls by up to 50%.
In this article, I’ll show how your employees can securely and easily reset their password, with zero help from your help desk, IT department or Azure AD admin.
By the end of this tutorial, you’ll have setup a streamlined, multi-factor Self-Service Password Reset (SSPR) policy and implemented it across your organization.
Why your business needs SSPR
There’s several benefits to enabling SSPR:
1. Reclaim days of lost productivity
Once SSPR is rolled out across your organization, your employees will be able to reset their passwords on-demand, from any location and any device. Even if they’re working out-of-hours and away from the office, they should have no issues recovering their account and getting back to work.
SSPR can help any business avoid a situation where your employees are sat, waiting for an Azure AD admin to respond to their query. However, SSPR is particularly important for organizations with distributed workforces, or staff who operate across multiple time zones. For these organizations, a forgotten password can result in days of lost productivity, as your
forgetful employee and Azure AD admin struggle to coordinate account recovery while working in completely opposite timezones.
2. Reduce your IT staff’s workload by 50%
SSPR reduces the amount of time your IT department, help desk or Azure AD administrations spend resolving common password-related problems that your employees could have handled themselves.
According to digital consultancy Sparkhound, the average cost of a single password reset performed by your help desk is around $70, and the typical employee requests a password reset every single month. Crunch the numbers, and something as simple as resetting a password could be costing your business hundreds of dollars per month!
By giving employees the tools they need to manage their own passwords, you can drastically reduce your IT support costs, and give your IT department, help desk staff and admins up to 50% more time to dedicate to urgent tasks and high priority work.
3. Protect your confidential company data and corporate apps
If an employee cannot reset their own password, then they’ll be tempted to reuse the same handful of passwords, over and over, or opt for simpler passwords that are easier to remember – and easier for hackers to guess!
If your employees know that they can reset their password at any point, then they’ll be more likely to use complex, unique passwords for all of their accounts.
With cyberattacks on the rise and Microsoft recording over 300 million fraudulent sign-in attempts every single day, SSPR is another tool that can help protect your company against expensive and reputation-damaging security breaches.
Password reuse was implicated in 80% of 2019’s hacking-related breaches and recently compromised 44 million Microsoft accounts. Concerned about password reuse? Check out our report into the dangers of password reuse, and how you can help keep your business safe.
How does Self Service Password Reset work?
When SSPR is enabled, your employees will be able to reset their password without any assistance from your IT department or help desk. If a user forgets their password, then they simply need to:
- Head over to the Office 365 login page.
- Select the “Can’t access your account” link.
- Enter their ID, complete the captcha and then press “Next.”
Azure AD will then verify that your organization has SSPR enabled, and that this user has registered all the authentication method(s) required to verify their identity.
If the user meets both of this criteria, then Office 365 will guide them through the password reset process, and they’ll be able to regain access to their account.
How to implement an organization-wide SSPR policy
To give your employees the ability to reset their password, you’ll need to:
- Enable SSPR in Azure AD.
- Specify the authentication method(s) that your employees should use as part of the password reset process, for example verifying their identity using the Microsoft Authenticator mobile app, or answering some security questions.
In the following sections, I’ll cover both of these points, including all the authentication method(s) that you can choose from.
Enabling SSPR in Azure Active Directory
To start, your Azure AD admin will need to enable SSPR:
- Sign into the Azure portal.
- Select “Azure Active Directory.”
- In the left-hand menu, select “Password reset.”
- Find the “Self service password reset enabled” slider. You can now enable SSPR for all users by pushing this slider into the “All” position. Alternatively, you can pick and choose who should be able to perform SSPR, by pushing this slider into the “Selected” position, and then selecting one or more groups.
- When you’re happy with your selection, click “Save.”
- In the left-hand menu, select “Authentication methods.”
- You can now choose the “Number of authentication methods required to reset,” which is the number of identification methods a user must have registered in order to perform SSPR. To improve security, you should opt for two alternate authentication methods wherever possible.
- You can now choose one or more authentication methods that will be made available to your users. We discuss all of these options in the following section.
- Depending on your chosen authentication method(s), you may be prompted to perform some additional configuration. Again, we cover these steps in the following sections.
- When you’re happy with how your SSPR setup, click “Save.”
SSPR is now enabled across your organization.
Choose an authentication method – or two!
When enabling SSPR, you’ll need to specify 1-2 authentication methods that your employees can use to verify their identity. Only users who pass these additional security checks will be able to reset their password using SSPR.
You can choose from the following authentication methods:
1. Microsoft Authenticator for mobile and tablet
This mobile app allows users to authenticate their identity, either by:
- Using the Microsoft Authenticator app to generate an OATH verification code. The employee can then enter this OATH code into the Office 365 password reset dialog.
- Receiving a smartphone push notification. The user will need to approve this notification, in order to verify their identity.
If you’ve setup two authentication methods (such as mobile app authentication and security questions) then your employees can choose whether to authenticate using the OATH or smartphone notification method. However, if mobile verification is your company’s only authentication method, then employees can only authenticate using the OATH method, as OATH is typically considered more secure than approving a push notification.
Note that the notification method won’t function correctly on Android devices within China. If some of your staff work from, or travel to China then you’ll need to provide them with an alternative authentication method.
2. Register a secondary email address
A user can provide an additional email address that they’ll use to verify their identity during SSPR.
During a password reset, an email will be sent to this secondary email address with instructions on how the user can complete the authentication process.
3. SMS verification codes
Your employees can use their smartphone as a secondary form of authentication.
If the user needs to reset their password at any point, then Microsoft will send a verification code to their smartphone via SMS. The employee can then verify their identity by entering this code into the Office 365 password reset dialog.
4. Receive an automated voice call
Your employees can opt to receive an automated voice call to a specific phone number, such as their work smartphone or office landline. This automated call will then guide them through the process of confirming their identity.
5. Pose some security questions
When users register for SSPR, they can choose from a list of predefined security questions. If the user forgets their password, they can then verify their identity by answering these security questions.
Security questions are generally deemed as less secure than other authentication methods, as it may be possible to guess another user’s answers. If you do permit security questions as a possible authentication method, then we recommend using security questions alongside a secondary method.
If you choose “Security questions” as a possible authentication method during SSPR setup, then you’ll need to perform some additional configuration.
To start, specify the following:
- Number of questions required to register. This is the minimum number of security questions a user must answer in order to qualify for SSPR. This number must be greater than, or equal to the number of questions the employee will answer when resetting their password.
- Number of questions required to reset. This is the number of randomly-selected security questions the user must answer when resetting their password.
Next, you’ll need to create a pool of security questions that your employees will be able to choose from:
- Find the “Select security questions” section, and give it a click.
- Click “Predefined” and then choose from the list of available security questions.
- When you’re happy with your selection, click “OK.”
Your users will now be able to use these security questions as an authentication method.
Make sure the employee’s contact details are up-to-date
At this point, you’ve enabled SSPR and added one or more authentication methods, but there’s one final step. As part of the password reset process, Office 365 will require access to the employee’s contact information.
Your Azure AD admin could enter this information for each employee manually, or Microsoft can request this information automatically the next time the employee logs into their Office 365 account.
To save your Administrators a considerable amount of time and effort, let’s request this information from your employees:
- Sign into the Azure portal.
- Select “Azure Active Directory.”
- In the left-hand menu, select “Password Reset > Registration.”
- Push the following slider into the “On” position: “Require users to register when signing in.”
- You can now choose the “Number of days before users are asked to reconfirm their authentication information.” Note that outdated contact information can prevent your employees from recovering their account, so you should encourage users to keep this information up to date.
- When you’re happy with the information you’ve entered, click “Save.”
Now, your employees will be asked to enter their contact information the next time they log into their Office 365 account.
Once the user has entered this information, they’ll be able to reset their password using any of the authentication methods you setup in Azure AD.
Share this article on social media
If you found this article useful, please share it on social media.
Subscribe to our blog…
We will only use your email to send you new blog posts.