Enterprise Mobility and Security Blog


Hey there, Ryen Macababbad here. You might remember me from an Azure AD Premium Webinar or from my post introducing our Azure Active Directory Customer Success Team. This week we’ll answer some more questions on Self-Service Password Reset that we didn’t get to cover in our last SSPR mailbag. These are questions that we’ve seen coming directly from other customers that we are working with and may help as you start or continue your adoption of Azure AD! If our readers find these helpful let us know in the comments or on twitter at @Ryen_Mac, @MarkMorow and @Alex_A_Simons. Let’s get started.

Question 1: My end-users are trained to be suspicious of anything that doesn’t look like our company, but the landing page to setup SSPR (https://aka.ms/ssprsetup) and the password reset page (https://aka.ms/sspr) require you to enter your username before your branding shows up. Can I just make my own webpage?

Answer 1: Yes, absolutely! In fact, a number of our customers have done exactly that. Check out Creating your own password portal in our Password Management best practices section on Azure to find out more and download a website template to get you started.

Another thing you can do is to add the ?whr=contoso.com parameter to the end of the URL (where contoso.com is your verified domain name documented here.) when deep-linking to the password reset site. This will force your branding to appear without the end user having to first enter in their username. You can also pass ?username=user@contoso.com as well.


Question 2: I don’t want to give my service account too many permissions. What exactly is required for password reset, password writeback, and account unlock?

Answer 2: Whether you chose to specify your custom service account when you began configuring the sync engine in the wizard, or you went with the randomly generated one (MSOL_xxxxxxxxxxxx), you’ll need to set permissions on the root object of each domain in a forest to allow Reset Password and Change Password and grant permissions to Write lockoutTime and pwdLastSet. These permissions will need to be marked as Inherited by all user objects. More documentation can be found on Getting Started with Password Management on Azure.com

Question 3: How does SSPR store my AD passwords in Azure AD?

Answer 3: Self-service password reset does not store your passwords. It allows you to reset your on-premises passwords by writing the change made in the online UI to on-premises in real-time, enforcing all your on-premises policies along the way. Once the user inputs their desired password, the password is encrypted using a symmetric key specific to your tenant sent over a TLS-secured channel to a tenant-specific service bus relay, and then arrives to your on-premises system where it is decrypted and written to AD. Go check out the Password Reset documentation to read about more technical details and a precise walkthrough of how it all works together!

Question 4: Are answers to security questions case sensitive?

Answer 4: No. Security questions are case-insensitive, and can be input in either uppercase or lowercase.

Question 5: What is the user experience when I enforce SSPR registration on my directory?

Answer 5: After enabling enforced registration, any user who logs in using Azure AD will see a brief message indicating their admin requires that they provide alternative security info so they can recover their account if they forget a password. This includes logins to O365, Access panel, or custom/federated apps that use Azure AD for authentication.

Question 6: In a previous mailbag post (http://blogs.technet.com/b/ad/archive/2015/12/11/azuread-mailbag-self-service-password-reset.aspx) you showed how the Security Questions are in the language set by the browser. Does the password reset portal behave the same way?

Answer 6: Yes, the entire experience including voice calls is determined by this. If you want to force a specific language you can use the mkt parameter with that locale you want to force. For example for traditional Chinese https://passwordreset.microsoftonline.com?mkt=zh-tw would display like


Question 7: I need a better way to get my SSPR registration activity than having to download it from the portal once a month. Is there a way I can script this?

Answer 7: Certainly. You can utilize Graph API to pull customized reports. Check out this Getting Started Guide: Getting started with the Azure AD Reporting API to set up an app in your Azure AD directory that can interface with Graph Explorer. After that you can use the following script to make a call into your directory to that app you just created. From there you can tailor the script to pull the reports that are important to you.


We hope you’ve found this post and this series to be helpful. For any questions you can reach us at AskAzureADBlog@microsoft.com, the Microsoft Forums and on Twitter @AzureAD, @Ryen_Mac, @MarkMorow and @Alex_A_Simons

-Ryen Macababbad, Adam Steenwyk and Mark Morowczynski