One of the great features of Microsoft 365 is the ability to utilise one account to access tens if not hundreds of applications, with just one identity. We can link just about anything to our Microsoft 365 account now, meaning all applications and web based services used by an organisation can be accessed with just one account. We can also use Microsoft 365 features such as multi factor authentication to add security to previously insecure web applications.
The downside of this approach is that if an individual forgets their password or their account is locked out, they are now locked out of all those applications. This can result in a very unproductive employee.
What usually follows is a phone call to IT to unlock the individuals account or reset the password. If you’re lucky, it will be done straight away. However, it could be hours before you are back in your account.
With all the additional security capabilities available to us today, isn’t there a way we can all be self sufficient and simply reset our own password, or unlock our own account?
There is and it’s called Self Service Password Reset.
What is Self Service Password Reset (SSPR)?
SSPR provides a mechanism for individuals to reset their own password and unlock their own account. If a user’s account is locked out or they forget their password, they can start the self-service password reset feature. This can be done either through a browser, a mobile device or straight from the Windows logon screen. The individual can then follow the prompts to unblock themselves and get back to work. This self sufficiency has a clear benefit on the productivity of an employee, as well as reducing the number of calls to the support desk.
The feature is also able to integrate with existing, on premise active directory environments. This allows an individual to reset their password from any device, anywhere, without being connected to the on premise domain. SSPR will automatically update the password of the on premise account, keeping both identities in sync.
The capability is nothing new. It has been around for some time and available from lots of different vendors. What is new is the ability to get access to such a great feature without having to buy additional products, from different vendors and trying to integrate them. SSPR from Microsoft is yet another feature of an already comprehensive security suite, that integrates seamlessly with your Microsoft 365 solution and your Windows 10 devices.
How does it work?
SSPR works by allowing users to provide additional authentication methods in order to verify who they are. Once they have been verified, they can proceed to enter a new password or simply unlock their account. The methods are configured during initial set up of the feature. Options include mobile app notification, phone number and security questions. The number of methods required to be able to pass this verification step can be set to either one or two.
In order to access the SSPR portal, an individual can search the URL in a web browser, or it can be accessed directly from the Windows 10 lock screen. Once configured, a Reset Password link will appear on the logon screen and lock screen of all Windows 10 endpoints. A user can now click this link either at the point of logon or by locking the screen.
This will launch an easy to follow wizard that will step the user through entering their email address and providing the number of authentication methods specified during enrolment. Providing they pass this verification, the password can be changed or the account unlocked. The Windows 10 device will then return to the logon screen and you can get logged in.
Of course, none of this is possible without first registering for the service. This is typically where these solutions fail as, without going through the registration process, nobody can reset their own password so they resort to contacting the support desk again.
SSPR from Microsoft 365 solves this common problem in two ways.
First, administrators are able to pre-register the required authentication methods for all users, using information taken from an on premise active directory. This means that individuals can use SSPR without even registering for it.
The second method is the new combined security registration experience. This provides a single registration experience for enabling multi factor authentication (MFA) and providing the required authentication methods to enable SSPR. As 365 administrators, we have the ability to enforce this registration after a set amount of time, directing unregistered users straight to the registration portal the next time they sign in.
The result is SSPR and MFA enabled for all users and no more password reset calls to the support desk.
Why do I need it?
Password resets can account for a huge percentage of the overall tickets raised with a support desk. It’s a trivial, time consuming and frustrating experience for both parties. What’s more, it is likely to be an insecure method in use, as passwords may be read out over the phone to someone that hasn’t been verified. In the current climate of phishing attacks and social engineering, impersonating an individual on the phone is an easy way in.
Getting this feature in place is a win for security and user experience. Employees are self-sufficient and more productive, removing wait times typically associated with this task. The Support desk are happier as they are free from the influx of password reset requests after every bank holiday. Finally, the security posture of the organisation is greatly improved, as the mechanism by which passwords are being reset is far more secure than the previous solution.
How do I get it?
SSPR is available to all Microsoft 365 plans. However, to take advantage of the integration with your on premise active directory environment, you’ll need each user to be licensed for Azure Active Directory Premium P1. This is available as a standalone product or included in Microsoft 365 Business Premium, E3 and E5. The feature is also included in Enterprise Mobility and Security (EMS). If you have any of these plans, you will have access to SSPR.
With a myriad of plans available and the recent name changes of Microsoft’s Office 365 plans, it can be difficult to understand whether you have a feature and how best to access it.
If you would like clarification on your plan, the security features available or how best to implement them then reach out to one of our team, who will be happy to discuss the options.
How can LIMA help?
SSPR may seem like an easy win but as with most security products, without proper planning, it is likely to be a hindrance or go under used. The key to successful adoption of the feature is to understand the different deployment models and how best to implement it. Integrating SSPR with the Windows 10 logon screen and pre-registering users would seem like the best solution, but it also has the most pre-requisites.
LIMA can work with you to understand and map out those requirements, as part of a wider assessment and assist in the user education, onboarding and rollout of the solution. Through our Microsoft 365 Security Assessment service, we can capture your existing security posture, highlighting areas of potential weakness. From here we can map Microsoft 365 security capabilities, such as SSPR, to your security objectives and requirements, providing a prioritised and actionable Microsoft 365 security roadmap.
Speak to your account manager or email firstname.lastname@example.org to find out more about how LIMA can help secure your mobile workforce with our Microsoft 365 Assessment Services.
Contact us Back to News & Events
For the past 20 years, we’ve been solving business challenges by designing and delivering intelligent IT solutions with a passion for technical excellence and customer satisfaction.
If you have a question you'd like to ask, we’d love to answer it.
Fill in the contact form below and we’ll get back to you as soon as possible.