Last week I was scheduled to implement Self Service Password reset for a client. Enabling Self Service Password Reset (SSPR) is not quite difficult but I decided to take a look at the official Microsoft docs just in case something might have changed recently. The client required Password Writeback which makes things different in terms of licensing! That’s where this blog is all about. But first… What is Self Service Password Reset?
What is SSPR?
Azure Active Directory (Azure AD) self-service password reset (SSPR) gives users the ability to change or reset their password, with no administrator or help desk involvement. If a user’s account is locked or they forget their password, they can follow prompts to unblock themselves and get back to work. This ability reduces help desk calls and loss of productivity when a user can’t sign in to their device or an application. Source: Microsoft docs.
Our client is using a hybrid environment, where the local Active Directory is synced to Azure AD with AD Connect. Therefor the client required Password Writeback from Azure AD to the on-premise Active Directory domain.
Note: When users change their password via SSPR, only their Azure AD (Cloud) identity password is being reset by default. Password Writeback is designed to sync the cloud password into the on-premise Active Directory domain to make sure both identities have the same password. Generic users won’t understand that on-prem identities and azure-ad identities are (in fact) separate identities.
In the past I thought that the license state of the tenant was enough to make use of SSPR. When your tenant is shown Azure AD Premium P1 or P2 (see below), the SSPR feature is available. This does not mean that you are allowed to use it!
As mentioned before, the client is using a hybrid environment and required Password Writeback for all their identities. That required all the users to have Microsoft 365 Business Premium, Azure AD Premium P1 or Azure AD Premium P2.
Note: Microsoft 365 Business Premium comes with Azure AD Premium P1. This makes that Azure AD Premium P1 is the least required license to use Password Writeback.
Not all of the users in scope have the required licenses assigned to their identity. Therefor I had to make sure that only complaint (licensed) users are able to make use of SSPR. How did we do this?
Dynamic User Group
We’ve create a new Dynamic User Group in Azure AD with the following rule syntax. This one add’s all users who have Azure AD Premium P1 or Azure AD Premium P2 assigned (and have this one enabled) to this group. This group is then used in the SSPR configuration which is shown below. While using this method, we make sure all identities using SSPR with Password Writeback are compliant. Just in case..
user.assignedPlans -any (assignedPlan.servicePlanId -eq "41781fb2-bc02-4b7c-bd55-b576c07bb09d" -and assignedPlan.capabilityStatus -eq "Enabled" -or assignedPlan.servicePlanId -eq "eec0eb4f-6444-4f95-aba0-50c24d67f998" -and assignedPlan.capabilityStatus -eq "Enabled")
Configure Password Writeback in AD Connect
Password Writeback is a feature which has to be enabled manually. This can be done in Azure AD Connect. And then i ask my self the question “On which server is Azure AD Connect installed?”. You can query AD for a user starting with “MSOL“. In the description of this account, you can see on which server the instance is running.
Start Azure AD Connect and click Configure.
Click Customize synchronization options and click Next.
Login with a Global Administrator account and click Next.
Click Next until you’re seeing the Optional Features. Select Password Writeback.
Click Next until you see the Configure button. Click Configure and you’re done! Password Writeback is now configured for your tenant and on-prem domain.
Configure Self Service Password Reset (SSPR)
This part is about SSPR, which is not difficult at all. Enabling SSPR for everyone is recommended but in Hybrid scenario’s you have to make sure all users are users are licensed with at least Azure AD Premium P1!
- In the Azure Portal, navigate to Azure Active Directory -> Password reset.
- Set Self service password reset enabled to “Selected“.
- Select the group created in the step before. SSPR-Enabled in my example.
- Click Save.
SSPR Is now configured, enabled and only available for users (identities) with the correct licenses, when making use of Password Writeback!