Comprehensive Knowledge Base article that walks you through enabling SSPR in a hybrid environment
Prerequisites
Before enabling SSPR, ensure the following:
Licensing
- Microsoft Entra ID P1 or P2 (required for password writeback)
Infrastructure Requirements
- Azure AD Connect (latest version recommended)
- Hybrid identity configured and syncing users
- At least one writable domain controller
- Outbound HTTPS (TCP 443) access from Azure AD Connect server
Permissions
- Global Administrator (initial setup)
- Domain Admin (for Azure AD Connect configuration)
Architecture Overview
SSPR in hybrid works as follows:
- User initiates password reset in Microsoft 365
- Identity is verified using configured authentication methods
- Azure sends request via Azure AD Connect
- Password is written back to on-prem Active Directory
Step 1: Enable SSPR in Microsoft Entra ID
- Go to:
- Navigate to:
- Protection → Password reset
- Under Properties:
- Set Self service password reset enabled to:
- Selected (recommended for pilot)
- or All
- Set Self service password reset enabled to:
- Click Save
Step 2: Configure Authentication Methods
- Go to:
- Password reset → Authentication methods
- Configure:
- Number of methods required (recommended: 2)
- Methods available:
- Mobile app notification
- Mobile app code
- Mobile phone
- Office phone
- Security questions (less recommended)
Best Practice
- Enable:
- Authenticator app
- SMS
- Avoid relying solely on security questions
Step 3: Configure Registration Settings
- Go to:
- Password reset → Registration
- Enable:
- Require users to register when signing in
- Set:
- Number of days before reconfirmation (recommended: 180)
Step 4: Enable Password Writeback in Azure AD Connect
This is the critical hybrid step.
On the Azure AD Connect Server:
- Open:
- Azure AD Connect
- Click:
- Configure
- Select:
- Customize synchronization options
- Authenticate as Global Admin
- Continue through options until:
- Optional Features
- Check:
- Password writeback
- Complete the wizard
Step 5: Set Required Permissions in Active Directory
Azure AD Connect automatically sets permissions, but verify:
Required permissions on the domain:
- Reset password
- Write lockoutTime
- Write pwdLastSet
Verify via:
- ADSIEdit or Delegation Wizard on domain root
Step 6: Configure Password Policies
Ensure alignment between:
On-Prem AD:
- Password complexity
- Minimum length
- Lockout policies
Microsoft Entra:
- Cloud password policy (if used)
⚠️ Mismatched policies can cause failed resets.
Step 7: Test SSPR End-to-End
Test Scenario:
- Go to:
- Select:
- “Forgot my password”
- Enter test user
- Complete authentication
- Reset password
- Validate:
- User can log in to:
- Domain-joined machine
- VPN
- Microsoft 365
- User can log in to:
Step 8: Monitor and Validate
Azure Logs:
- Go to:
- Entra ID → Monitoring → Audit logs
- Filter:
- Password reset events
Azure AD Connect Logs:
- Event Viewer:
- Applications and Services Logs
- Directory Synchronization
Step 9: Rollout Strategy (Recommended)
Phase 1: Pilot
- IT team or small user group
Phase 2: Department rollout
- High-volume support users first
Phase 3: Organization-wide
- Enable for all users
Security Best Practices
- Require 2 authentication methods
- Enforce MFA registration
- Disable security questions if possible
- Monitor for suspicious reset activity
- Combine with:
- Conditional Access policies
Common Issues & Troubleshooting
1. Password writeback fails
- Check Azure AD Connect health
- Verify outbound connectivity (TCP 443)
- Confirm permissions on AD
2. “You can’t reset your password” error
- User not in SSPR scope
- Missing authentication methods
3. Password resets but cannot log in
- AD replication delay
- Cached credentials on device
4. Authentication methods not prompting
- User has not completed registration
- Registration enforcement not enabled
Helpful PowerShell Commands
Check Azure AD Connect version:
Get-ADSyncGlobalSettings
Force sync:
Start-ADSyncSyncCycle -PolicyType Delta