Browse all topics
All guidesGlossary
Microsoft Entra (Identity)

Entra ID self-service password reset

SSPR lets users reset their own passwords without calling the help desk. Here's the configuration and rollout.

Self-service password reset (SSPR) in Entra ID lets users reset their own passwords without help-desk involvement. It's one of the highest-leverage features in Entra: it removes one of the most common help-desk tickets and gives users a faster path back to work.

How SSPR works

When SSPR is enabled and a user has registered authentication methods:

  1. The user clicks "Can't access your account?" on the Microsoft 365 sign-in page.
  2. They enter their work or school account.
  3. Entra asks them to verify identity using registered methods (Microsoft Authenticator, phone, email, security questions).
  4. Once verified, they set a new password.
  5. If password write-back is enabled, the new password syncs back to on-prem Active Directory.

For hybrid environments, password writeback (configured in Entra Connect) is essential — otherwise the reset only updates the cloud account, and the on-prem AD account stays locked.

Authentication methods

Each enabled method becomes available for SSPR verification:

  • Microsoft Authenticator (recommended).
  • Mobile phone (text or call).
  • Office phone.
  • Email to a non-work address.
  • Security questions — discouraged but still available for organisations with very limited mobile usage.

Best practice: require two methods for reset (the default) so a single compromised channel can't be used to take over an account.

Combined security info registration

Modern Entra ID uses a combined registration experience for MFA and SSPR. Users register their methods once, and those methods serve both purposes. This is enabled by default for new tenants.

Rollout

A typical sequence:

  1. Enable SSPR for a pilot group in the Entra admin center.
  2. Define authentication methods and the number required.
  3. Enable password writeback on Entra Connect for hybrid environments.
  4. Configure notification settings so admins and users are alerted on password reset events.
  5. Force registration for the pilot group — users see a registration prompt at next sign-in.
  6. Expand to all users once the pilot is clean.

Operational notes

  • Admin accounts have stricter rules — SSPR is available but methods are limited and security questions don't apply.
  • B2B guests can't use SSPR in your tenant; they reset their password at their home tenant.
  • Password protection policies (in Entra ID Authentication methods) define minimum complexity, banned password lists, and on-prem AD password protection.
  • Audit logs for SSPR show who reset when and from where — useful for both compliance and incident response.

Licensing

SSPR for cloud-only accounts is available in all Entra ID tiers (Free, P1, P2). Password writeback to on-prem AD requires Entra ID P1, included with Microsoft 365 Business Premium, E3, and E5.

For most tenants, enabling SSPR within the first week of deployment is the single fastest help-desk-burden reduction available.