Microsoft Entra self-service password reset (SSPR) allows users to change or reset the password on their own. It does not require support from the helpdesk.

To allow the user to change or reset the password, the following authentication methods are available for Microsoft Entra self-service password reset (SSPR):

  • Mobile app notification
  • Mobile app code
  • Email
  • Mobile phone (SMS only)
  • Office phone
  • Security questions

Which of the above authentication methods are available is determined by the administrator and may require partial preparatory tasks.

Microsoft Entra self-service password reset (SSPR) supports Passthrough Authentication (PTA) and Password Hash Sync (PHS).

Note: Legacy SSPR will be deprecated as of September 30, 2025. For more information, please refer to: Migrate legacy MFA and legacy SSPR policies to the authentication methods in Microsoft Entra ID – cloudcoffee.ch

Prerequisites and Licensing

Depending on the required functionality of Microsoft Entra self-service password reset (SSPR), different licenses are required:

Microsoft
Entra ID
Free
Microsoft 365
Business /
Standard
Microsoft 365
Business
Premium
Microsoft
Entra ID
P1 / P2
User password change (Cloud only)xxxx
User password reset (Cloud only)xxx
Change or reset password in Hybrid scenario with Microsoft Entra Connectxx

An overview of Microsoft 365 license packages with their features can be found at https://m365maps.com.

Configuration Microsoft Entra Connect

If Microsoft Entra Connect is not used, this section can be skipped.

Microsoft Entra self-service password reset (SSPR) requires Microsoft Entra Connect with the optional feature Password writeback.

Connect with a global administrator to Microsoft Entra ID.

Connect with a local administrator to Active Directory.

Select Password writeback

Enable single sign-on (SSO) to increase user convenience.

The configuration is now being checked and can be started.

After completing the configuration, close Microsoft Entra Connect to start synchronization.

The successful activation of Password writeback can be seen under Microsoft Entra ID > Monitoring > Audit Logs.

Microsoft Entra Connect is now prepared for Microsoft Entra self-service password reset (SSPR).

Configuration Microsoft Entra self-service password reset (SSPR)

The following settings can be made in the Azure Portal (https://portal.azure.com) under Microsoft Entra ID > Password reset.

Enable Password Reset

Under Properties, it is specified which users can change or reset the password independently. The options are All or defined user groups.

WARNING: Members of this group will receive a prompt to update the security information after activation. It makes sense to inform the users about this step in advance.

Authentication methods

The authentication methods specify which methods may be used for verification by a user.

To ensure increased safety, 2 verification methods are necessary.

The following authentication methods are available:

  • Mobile app notification
  • Mobile app code
  • Email
  • Mobile phone (SMS only)
  • Office phone
  • Security questions

Password Reset Registration

In order to be able to change or reset the password in case of need, it requires the registration of the authentication methods of each user.

When sign in for the first time, the user is prompted to complete the security information.

The security information must be confirmed recurrently. This can be configured between 0 days (no confirmation) to a maximum of 730 days.

On-premises integration

When using Microsoft Entra Connect or Microsoft Entra Cloud Sync, password write back must be enabled.

User password change

The user can independently change the password at https://myaccount.microsoft.com/.

If all security information is not yet available, a prompt to complete the security information will appear after login.

Select Overview > Change Password

Enter new password – done!

User password reset

To reset a forgotten password, just click on Forgot my password, you will now then verify yourself with the previously registered authentication methods and are aible to reset the password.


Follow me on LinkedIn to always stay updated on my recent posts.

Follow on LinkedIn