(Cloud) Tip of the Day: Disable SSPR for tenant
Today’s (Cloud) Tip…
If you are using a service that uses Azure Active Directory as the identity platform such as Office 365, Intune, or Azure, and you don't want users or admins to leverage the self-service password reset feature, you can disable this feature for your organization. This means that users or admins will not be able to complete the password reset flow after clicking on Can’t access your account?
To do this, you will need to use Azure Active Directory Module for Windows PowerShell.
First install the Microsoft Online Services Sign-In Assistant for IT Professionals RTW from the Microsoft Download Center. Then install the Azure Active Directory Module for Windows PowerShell (64-bit version), and click Run to run the installer package.
Then perform the following steps…
- Open Azure Active Directory Module for Windows PowerShell
- Run the following cmdlet…
Connect-MsolService
Note When prompted, provide your global administrator credentials
- Then run the following cmdlet to disable self-service password reset…
Set-MsolCompanySettings -SelfServePasswordResetEnabled $False
If you wanted to re-enable self-service password reset, then use $True instead of $False for the SelfServicePasswordResetEnabled parameter like so…
Set-MsolCompanySettings -SelfServePasswordResetEnabled $True
Best Regards from the Tip of the Day Team!
Correction added:
I do have a correction for this tip. The instructions below will only disable SSPR for admins.
If you want to disable SSPR for users, the you can follow the instructions in the following article…
https://msdn.microsoft.com/en-us/library/azure/dn683881.aspx
Also, there was a question on what will users or admins see if SSPR is disabled.
The link Can’t access your account? will still be there, however, you will see something like this when you attempt to start the flow…
Admins will see…
Users will see…
Organizations with only one admin will see a link to contact support.