# Entra ID Self-Service Password Reset (SSPR) Implementation

<table class="MsoNormalTable" id="bkmrk-field-details-docume" style="width: 73.6905%; height: 180px;" title=""><tbody><tr><td style="width: 20.5175%;">**Field**

</td><td style="width: 79.485%;">**Details**

</td></tr><tr><td style="width: 20.5175%;">Document Type

</td><td style="width: 79.485%;">How-To Guide: Enterprise Implementation Runbook

</td></tr><tr><td style="width: 20.5175%;">Applies To

</td><td style="width: 79.485%;">Microsoft Entra ID, Microsoft Entra Connect Sync, Microsoft 365

</td></tr><tr><td style="width: 20.5175%;">Audience

</td><td style="width: 79.485%;">Identity Engineers / Entra ID Administrators / Systems Administrators

</td></tr><tr><td style="width: 20.5175%;">Author</td><td style="width: 79.485%;">AK. Udofeh

</td></tr><tr><td style="width: 20.5175%;">Last Updated

</td><td style="width: 79.485%;">March 2026

</td></tr></tbody></table>

##### **Overview**

**[![SSPR image.png](https://docs.aktechnoservices.com/uploads/images/gallery/2026-03/scaled-1680-/sspr-image.png)](https://docs.aktechnoservices.com/uploads/images/gallery/2026-03/sspr-image.png)**

This document provides a complete runbook for implementing **Self-Service Password Reset (SSPR)** in Microsoft Entra ID within an enterprise environment using **Entra Connect Sync with Password Writeback**. The guide walks through prerequisites, configuration steps, authentication method setup, hybrid password writeback, monitoring, and troubleshooting.

The configuration enables users and administrators to reset their own passwords securely using **Microsoft Authenticator, SMS, and Security Questions**, with passwords written back to on-premises Active Directory.

##### **The Issue**

In organisations without Self-Service Password Reset enabled:

- Users must contact the **Service Desk** to reset forgotten passwords.
- Password resets generate **high ticket volume**.
- Account lockouts reduce productivity.
- Password resets outside support hours may delay business operations.

Common symptoms in such environments include:

- Frequent password reset tickets.
- Users locked out of Microsoft 365 services.
- Helpdesk manually resetting passwords in **Active Directory Users and Computers (ADUC)**.

Basic remediation steps such as:

- Clearing browser cache
- Waiting for lockout timers
- Logging into another device

do **not resolve the underlying issue**, because the problem is structural: users lack a secure self-service mechanism.

##### **Context**

The root cause is the absence of **Self-Service Password Reset capability integrated with the organisation’s identity infrastructure**.

In hybrid identity environments, password changes must occur across two identity planes:

```bash
User → Entra ID Authentication
       ↓
SSPR Validation (Authenticator / SMS / Questions)
       ↓
Entra ID Password Reset Engine
       ↓
Password Writeback via Entra Connect
       ↓
On-Prem Active Directory Password Update
       ↓
Password Sync Back to Entra ID
```

##### **Normal Process (with SSPR)**

1. User initiates password reset.
2. Entra ID verifies identity using configured authentication methods.
3. Password reset is approved.
4. Password writeback sends the new password to on-prem AD.
5. Entra Connect synchronises the updated password hash.

##### **What Breaks Without SSPR**

- Users cannot reset passwords independently.
- Password resets must be performed by administrators.
- Hybrid environments create delays due to manual intervention.

##### **Known Triggers for Password Reset Demand**

- Password expiry policies.
- Account lockout thresholds.
- New device sign-ins triggering authentication.
- VPN credential usage.
- Conditional Access enforcing re-authentication.

##### **Before You Start**

<table id="bkmrk-check-where-entra-id" style="width: 85.9524%; height: 238.375px;"><thead><tr style="height: 29.7969px;"><th style="width: 48.2826%; height: 29.7969px;">**Check**</th><th style="width: 51.7174%; height: 29.7969px;">**Where**</th></tr></thead><tbody><tr style="height: 29.7969px;"><td style="width: 48.2826%; height: 29.7969px;">Entra ID P1 or P2 licenses assigned</td><td style="width: 51.7174%; height: 29.7969px;">Microsoft 365 Admin Center</td></tr><tr style="height: 29.7969px;"><td style="width: 48.2826%; height: 29.7969px;">Microsoft Entra Connect Sync installed</td><td style="width: 51.7174%; height: 29.7969px;">On-prem identity server</td></tr><tr style="height: 29.7969px;"><td style="width: 48.2826%; height: 29.7969px;">Password Writeback feature enabled</td><td style="width: 51.7174%; height: 29.7969px;">Entra Connect configuration</td></tr><tr style="height: 29.7969px;"><td style="width: 48.2826%; height: 29.7969px;">Hybrid identity synchronisation healthy</td><td style="width: 51.7174%; height: 29.7969px;">Entra Connect Health</td></tr><tr style="height: 29.7969px;"><td style="width: 48.2826%; height: 29.7969px;">Security group created for SSPR pilot scope</td><td style="width: 51.7174%; height: 29.7969px;">Entra ID → Groups</td></tr><tr style="height: 29.7969px;"><td style="width: 48.2826%; height: 29.7969px;">Users registered for authentication methods</td><td style="width: 51.7174%; height: 29.7969px;">Security Info portal</td></tr><tr style="height: 29.7969px;"><td style="width: 48.2826%; height: 29.7969px;">Required firewall ports open</td><td style="width: 51.7174%; height: 29.7969px;">Identity infrastructure</td></tr></tbody></table>

##### **Implementation steps**

**Step 1: Create the SSPR Security Group**

1\. Open the **Microsoft Entra Admin Center**

```bash
https://entra.microsoft.com
```

2\. Navigate to:

```
Identity > Groups
```

3\. Select **New Group**

Configuration:

<div class="TyagGW_tableContainer" id="bkmrk-setting-value-group-"><div class="group TyagGW_tableWrapper flex flex-col-reverse w-fit" tabindex="-1"><table class="w-fit min-w-(--thread-content-width)" data-end="4183" data-start="4066"><thead data-end="4085" data-start="4066"><tr data-end="4085" data-start="4066"><th class="" data-col-size="sm" data-end="4076" data-start="4066">**Setting**</th><th class="" data-col-size="sm" data-end="4085" data-start="4076">**Value**</th></tr></thead><tbody data-end="4183" data-start="4102"><tr data-end="4127" data-start="4102"><td data-col-size="sm" data-end="4115" data-start="4102">Group Type</td><td data-col-size="sm" data-end="4127" data-start="4115">Security</td></tr><tr data-end="4157" data-start="4128"><td data-col-size="sm" data-end="4135" data-start="4128">Name</td><td data-col-size="sm" data-end="4157" data-start="4135">SSPR-Enabled-Users</td></tr><tr data-end="4183" data-start="4158"><td data-col-size="sm" data-end="4171" data-start="4158">Membership</td><td data-col-size="sm" data-end="4183" data-start="4171">Assigned</td></tr></tbody></table>

</div></div>4\. Add users who should have SSPR enabled.

<p class="callout info">This group will be used to scope the SSPR policy.</p>

**Step 2: Enable Self-Service Password Reset**

Navigate to:

```bash
Entra ID > Password Reset
```

<table id="bkmrk-setting-value-self-s"><thead><tr><th>**Setting**</th><th>**Value**</th></tr></thead><tbody><tr><td>Self Service Password Reset Enabled</td><td>Selected</td></tr><tr><td>Selected Group</td><td>SSPR-Enabled-Users</td></tr></tbody></table>

Save the configuration.

**Step 3: Configure Authentication Methods**

Navigate to:

```bash
Entra ID > Authentication Methods
```

<table id="bkmrk-method-enabled-micro" style="width: 46.0714%; height: 89.3907px;"><thead><tr style="height: 29.7969px;"><th style="width: 50.002%;">Method</th><th style="width: 50.002%;">Enabled</th></tr></thead><tbody><tr style="height: 29.7969px;"><td style="width: 50.002%;">Microsoft Authenticator</td><td style="width: 50.002%;">Enabled</td></tr><tr style="height: 29.7969px;"><td style="width: 50.002%;">SMS</td><td style="width: 50.002%;">Enabled</td></tr><tr><td style="width: 50.002%;">Email OTP</td><td style="width: 50.002%;">Enabled</td></tr></tbody></table>

<p class="callout info">Choose and enable all required Auth methods and add the Entra ID group with the SSPR-Enabled-Users group to the policy.</p>

Navigate to:

```bash
Entra ID > Password Reset > Authentication Methods
```

<table id="bkmrk-setting-value-number" style="width: 43.9286%;"><thead><tr><th style="width: 65.797%;">Setting</th><th style="width: 34.203%;">Value</th></tr></thead><tbody><tr><td style="width: 65.797%;">Number of methods required</td><td style="width: 34.203%;">1</td></tr></tbody></table>

<p class="callout info">Choose the desired number of authentication methods required to reset a password and save.</p>

**Step 4: Enable Password Writeback**

Open the **Microsoft Entra Connect Windows Server**.

Launch:

```
Azure AD Connect
```

Select:

```
Configure → Customize synchronization options
```

During configuration:

Enable:

```
Password writeback
```

[![Entra ID Connect setup.png](https://docs.aktechnoservices.com/uploads/images/gallery/2026-03/scaled-1680-/entra-id-connect-setup.png)](https://docs.aktechnoservices.com/uploads/images/gallery/2026-03/entra-id-connect-setup.png)

Complete the configuration wizard.

Verify status in:

```
Entra Admin Center
Identity → Hybrid Management → Entra Connect
```

<p class="callout warning">Password writeback must show **Enabled**.</p>

**Step 5: Enable Administrator SSPR**

In Entra ID navigate to:

```
Entra ID > Password Reset > Administration Policy
```

Administrators require stricter security.

Recommended configuration:

<table id="bkmrk-setting-value-number-1"><thead><tr><th>Setting</th><th>Value</th></tr></thead><tbody><tr><td>Number of authentication methods required</td><td>2</td></tr><tr><td>Allowed methods</td><td>Authenticator, SMS</td></tr></tbody></table>

<p class="callout warning">Security questions are **not recommended for administrators**.</p>

**Step 6: Verify Combined Security Information Registration**

Combined registration allows users to configure **MFA and Self-Service Password Reset authentication methods in a single workflow**.

Navigate to:

```
Entra ID > Authentication Methods > Settings
```

Verify the tenant is using the **modern Authentication Methods policy framework**.

If the **Combined registration toggle is not visible**, the feature is already enabled by Microsoft and no further configuration is required.

User registration portal:

```
https://aka.ms/mysecurityinfo
```

Users will register the following methods during onboarding:

- Microsoft Authenticator
- SMS verification
- Security questions (if enabled in SSPR policy)

<p class="callout success">This portal supports both **MFA and SSPR authentication method registration**.</p>

**Step 7: Configure User Notification Settings**

Navigate to:

```
Password Reset > Notifications
```

Recommended configuration:

<table id="bkmrk-setting-value-notify" style="width: 42.2619%;"><thead><tr><th style="width: 79.9392%;">Setting</th><th style="width: 20.0608%;">Value</th></tr></thead><tbody><tr><td style="width: 79.9392%;">Notify users on password reset</td><td style="width: 20.0608%;">Enabled</td></tr><tr><td style="width: 79.9392%;">Notify admins on admin password reset</td><td style="width: 20.0608%;">Enabled</td></tr></tbody></table>

**==================================== Monitoring and Reporting ==============================**

##### **Entra Audit Logs**

Navigate to:

```
Entra Admin Center
Password reset > Audit Logs
```

Filter for:

```
Activity: Self-service password reset
```

Events recorded:

- Password reset initiated
- Password reset completed
- Password writeback success/failure

##### **Sign-In Logs**

Navigate to:

```
Password reset > Audit Logs
```

Review authentication challenges and method usage.

##### **SSPR Usage Reports**

Navigate to:

```
Entra ID > Password Reset > Usage & Insights
```

Metrics include:

<table id="bkmrk-metric-description-p"><thead><tr><th>Metric</th><th>Description</th></tr></thead><tbody><tr><td>Password resets</td><td>Total resets performed</td></tr><tr><td>Registrations</td><td>Users who registered authentication methods</td></tr><tr><td>Success rate</td><td>Successful resets vs attempts</td></tr></tbody></table>

These reports help measure adoption and identify issues.

##### **============================Troubleshooting=====================**

##### **Password Writeback Failed**

Error example:

```
Password reset failed to write back to on-premises directory
```

Possible causes:

- Entra Connect not running
- Password writeback disabled
- Domain controller connectivity issues

Resolution:

1. Verify Entra Connect service status.
2. Confirm writeback is enabled.
3. Check **Event Viewer - Application Logs** on the Entra Connect server.

##### **User Not Allowed to Reset Password**

Possible cause:

User not included in the **SSPR security group**.

Resolution:

1. Add the user to the SSPR group.
2. Wait for directory replication.

##### **User Not Registered for Authentication**

Error example:

```
You need to register for password reset
```

Resolution:

Direct the user to:

https://aka.ms/mysecurityinfo

```
https://aka.ms/mysecurityinfo
```

Complete registration before attempting password reset.

##### **Administrator Reset Fails**

Possible cause:

Administrator policy requires stronger authentication.

Resolution:

Ensure the administrator has registered:

- Microsoft Authenticator
- SMS

##### **Expected Outcome**

<table id="bkmrk-metric-result-resolu"><thead><tr><th>**Metric**</th><th>**Result**</th></tr></thead><tbody><tr><td>Resolution Time</td><td>Immediate user password reset</td></tr><tr><td>User Impact</td><td>Reduced helpdesk dependency</td></tr><tr><td>Recurrence Risk</td><td>Low once authentication registration is completed</td></tr></tbody></table>