Self-service password reset (SSPR) in Microsoft Entra ID gives users a path back into their accounts without opening a ticket, reducing help desk volume and recovery times without technician involvement.
A user enters their username, verifies identity through one or more registered methods, and sets a new password in under two minutes. Entra ID SSPR handles two operations: Resetting a cloud-only password, and writing changes back to on-premises AD for hybrid accounts. Each step can be enabled independently.
However, Entra ID SSPR has real limitations at enterprise scale around authentication method depth, hybrid configuration complexity, and policy granularity. This guide covers native Entra ID SSPR configuration, where those boundaries sit in practice, and how ManageEngine ADSelfService Plus extends the capability for organizations that need more.
Before configuring self-service password reset in Entra ID, ensure the following requirements are met:
| License tier | SSPR scope | Password writeback |
|---|---|---|
| Microsoft Entra ID Free | Administrators only | Not available |
| Microsoft Entra ID P1 | All users or selected group | Available |
| Microsoft Entra ID P2 | All users or selected group | Available |
| Microsoft 365 Business Premium | All users or selected group | Available (P1 included) |
Note: The administrator reset policy operates independently of this setting. An account holding any administrator role always faces a two-gate challenge, because Microsoft sets that policy at the platform level. Testing SSPR with your own admin account gives you a different experience from what your users will see.
Microsoft Entra ID handles cloud identity well, but has notable gaps for organizations with complex needs:
ADSelfService Plus fills these gaps with granular group-based SSPR policies, advanced password policy enforcement, stronger verification options, and dedicated on-premises AD SSPR capability:
Note: ADSelfService Plus creates a default policy for each discovered domain. You can edit this existing policy or create new policies to fit your requirements
ADSelfService Plus supports 17 authenticators for identity verification during password reset.
Two-factor vs. three-factor verification: Set the minimum authenticator count to one for lower-sensitivity groups or domains, and two for privileged accounts or regulated data handlers. Requiring two authenticators during reset means an attacker who controls a user's email or phone alone can't complete the flow—they also need to clear a one or two independent challenge before a new password is issued.
Per-group method assignment: Policies scoped to groups and domains let you assign different authenticators to different populations. For example, FIDO2 passkeys and hardware tokens for executive and finance groups; TOTP plus backup codes for standard users.
Conditional access layering: ADSelfService Plus evaluates IP address, device, time of day, and geolocation before presenting the MFA challenge. A user resetting from an unrecognized IP outside business hours gets an additional factor that the same user wouldn't face from a corporate workstation.
Users must register their authentication methods before the reset flow can work. Three enrollment paths are available.
Self-enrollment via the web portal: Users complete the enrollment wizard for their assigned authenticators through the ADSelfService Plus portal. Simple for engaged user bases, but unreliable when users ignore prompts and forget passwords before enrolling.
Enrollment notifications via email or push: Automated reminders nudge unenrolled users to complete enrollment before they need it—reducing the gap between account provisioning and SSPR readiness.
CSV-based bulk preenrollment: Import enrollment data to preregister entire populations, which is useful when migrating from another MFA platform or onboarding a new department. Users arrive preenrolled and SSPR is available from day one.
Unenrolled users who attempt a reset are blocked and redirected to enroll with no bypass unless enabled. Enrollment coverage is visible under the built-in reports, and a reconfirmation schedule can be configured to catch stale mobile numbers and replaced devices before they block a legitimate reset.
Password writeback works, but it requires a P1 or P2 license, Entra Connect service account with the correct permissions, and an on-premises infrastructure dependency that becomes a single point of failure for every cloud-side reset.
ADSelfService Plus provides seamless password synchronization between AD and Microsoft Entra ID. Users can reset or change their passwords through a single self-service portal, and ADSelfService Plus automatically updates credentials across connected directories without requiring Entra Connect password writeback.
Post-action notifications: Configure email and SMS templates for password reset events under Admin > Mail/SMS Settings. Alert the user, their manager, and admin addresses per action type without any no extra tools.
Portal branding: Apply a logo, color scheme, and help desk contact link through Admin > Customization. The help desk link appears throughout the reset flow, giving users a visible fallback before they reach for the phone.
Audit-ready reporting: Every self-service event is logged under Reports > Audit Logs. Along with 14+ built-in reports map to the GDPR, HIPAA, PCI DSS, SOX, NIST, NIS2, CJIS, and Essential Eight—schedulable directly to the compliance team's inbox.
Pilot first. Enable Entra ID SSPR on one group, validate AD sync, and measure the drop in help desk tickets before rolling ADSelfService Plus out to the full environment.
Enroll before cutting the helpdesk reset path. Users who aren't enrolled when the switch flips will call anyway. Use ADSelfService Plus forced enrollment at Windows logon for two weeks, monitor the enrollment report, then disable the help desk path.
Default to two authentication methods. One factor means a stolen email or borrowed phone clears self-service password reset verification alone. Two independent factors make each individually insufficient.
Use FIDO passkeys for admin accounts. Phishing, credential stuffing, and MITM attacks against OTP channels don't work against FIDO2 public-key authentication, the simplest control that closes those vectors entirely for privileged identities.
Self-service password reset in Microsoft Entra ID (formerly Azure AD) lets users reset forgotten passwords and get out of locked accounts without calling IT. They verify their identity through one or more registered methods, and set a new password. The process takes under two minutes for most users.
Microsoft Entra ID intercepts the password reset request, confirms the user's identity through the configured authentication methods, and either writes the new password to the cloud account directly or routes it back to on-premises Active Directory through Microsoft Entra Connect if the tenant uses hybrid identity with password writeback enabled.
Microsoft Entra ID Free covers SSPR for administrator accounts only. Enabling SSPR for standard users or a selected group requires Microsoft Entra ID P1 or P2. Password writeback to on-premises AD also requires P1 or P2. Microsoft 365 Business Premium bundles P1 and qualifies.
Microsoft Entra SSPR offers six user authentication methods: mobile app notification, mobile app code, email, mobile phone (SMS or voice), office phone, and security questions. You configure whether users complete one method or two to finish a reset. ManageEngine ADSelfService Plus adds 11+ further options including FIDO passkeys, YubiKey, and biometric authentication for organizations needing more verification coverage.
