Lab: Explore Azure AD Authentication with self-service password reset

This lab maps to the following Learn content:

Learning Path: Describe the capabilities of Azure Active Directory (Azure AD), part of Microsoft Entra
Module: Describe the authentication capabilities of Azure AD
Unit: Describe self-service password reset in Azure AD

Lab scenario

In this lab, you, as an admin, will walk through the process of enabling self-service password reset. With SSPR enabled, you’ll then assume the role of a user and go through the process of registering for SSPR and also resetting your password. Lastly, you as the admin, will be able to view audit logs and usage data & insights for SSPR.

Estimated Time: 15-20 minutes

Task 1

In this task you, as the admin, will add an existing user, Adele Vance, into the SSPRSecurityUsers group. Also, you’ll also need to do a reset of the user’s password so that you can do a first-time sign-in, as the user, and register for SSPR.

Open Microsoft Edge.
In the address bar, enter portal.azure.com and sign in with your admin credentials.
1. In the Sign-in window, enter admin@WWLxZZZZZZ.onmicrosoft.com (where ZZZZZZ is your unique tenant ID provided by your lab hosting provider) then select Next.
2. Enter the admin password that should be provided by your lab hosting provider. Select Sign in.
3. When prompted to stay signed- in, select Yes.
Select Azure Active Directory.
From the left navigation panel, select Groups.
A list of existing groups is displayed. In the Search groups field, enter SSPR, then from the search results select SSPRSecurityGroupUsers. It will take you to the configuration option for this group.
From the left navigation pane, select Members.
From the top of the page, select + Add members.
In the Search box, enter Adele. Once the user, Adele Vance, appears below the search box, select it then press Select from the bottom of the page.
Close out of the SSPRSecurityUsers window, selecting the X on the top right corner of the screen,
Return to the Active Directory page, by selecting Contoso from the top left corner of the screen, just above where it says Groups, to return to the Contoso Azure Active Directory page.
From the left navigation panel, select Users.
Select Adele Vance from the list of users.
Select Reset password from the top of the page. Since you haven’t previously signed in as Adele Vance, you’ll need to reset the password
When the password reset window opens, select Reset Password. IMPORTANT, make a note of the new password, as you’ll need it in a subsequent task, to be able to sign in as the user.
Close the password reset window by selecting the X at the top right corner of the page.
Close the Adele Vance window by selecting the X at the top right corner of the page.
Close the Users window by selecting the X at the top right corner of the page.
Keep the Contoso Overview window open as you’ll use it in the subsequent task.

Task 2

In this task you, as the admin, will learn how to configure Password reset for users, including configuration of the types of authentication methods to use

Go to the Contoso – Microsoft Azure tab that is open on your browser. If you previously closed the tab, open a browser page and in the address bar, enter portal.azure.com and select Azure Active Directory. You should be logged in as admin, in the Azure portal, if not, sign back in.
From the left navigation pane, select Password reset.
The properties for self service password reset are displayed. Ensure that Self service reset is selected for the group that is listed, the SSPRSecurityGroupUsers. Put your cursor over the information icon next to where it says “select group” and note that it says, “Defines the group of users who are allowed to reset their own passwords.” You must include users in the group, you can’t individually select users. Also, if you change the group, then the group you select replaces the group currently listed. As such, it’s recommended that you add users to the SSPR group. Lastly, note the blue information box, “These settings only apply to end users in your organization. Admins are always enabled for self-service password reset and are required to use two authentication methods to reset their password.”
From the left navigation panel of Password reset, select Authentication Methods.
In the Number of methods required to rest, select 1. Note the information box on the screen.
Notice the different methods available to users. Email and Mobile phone (SMS only) should already be checked; if not, select them.
From the left navigation panel of Password reset, select Registration.
Ensure the setting to Require users to register when signing in is set to Yes. Leave the Number of days before users are asked to reconfirm their authentication information, to the default of 180. Take note of the information box on the page.
From the left navigation panel of Password reset, select Notifications.
Ensure the setting to Notify users on password resets is set to Yes. Leave the setting for Notify all admins when other admins reset their password to No.
Note how the Password reset navigation pane also includes options to view audit logs and Usage & insights.
Sign out from all the browser tabs by clicking on the user icon next to the email address on the top right corner of the screen. Then the close all the browser windows.

Task 3

In this task you, as user Adele Vance, will go through the registration process for self service password reset. This task requires that you have access to a mobile device where you can receive text messages or a personal email account that you can access

Open Microsoft Edge.
In the address bar, enter login.microsoftonline.com.
Sign in as Adele Vance,
1. In the Sign-in window, enter AdeleV@WWLxZZZZZZ.onmicrosoft.com (where ZZZZZZ is your unique tenant ID provided by your lab hosting provider) then select Next.
2. Enter the password you noted in the earlier task. Select Sign in.
3. When prompted to stay signed- in, select Yes
Since this is your first sign-in as Adele Vance, you’ll be prompted to reset your password. Enter your old password. Enter a new password and then confirm the new password. Select Sign in.
A pop-up displays indicating that More information is required. This is because as a member of the SSPRSecurityGroupUsers group, the configuration requires its members to register when they sign in. Select the Next button. Note: An alternative to having users do the registration, themselves, is for admins to directly configure the authentication methods when they add a user. This requires admins to know and set the phone numbers and email addresses that users use to perform self-service password reset, and reset a user’s password.
The “Keep your account secure” page opens. The window that appears is for the Phone authentication method, if you don’t have a mobile device with you that is capable of receiving text messages, skip to the next step. You’re prompted to enter a phone number. Ensure the option Text me a code is enabled. Enter the phone number where you can receive a text code and select the Next button. A new window opens indicating a code was sent to the phone you entered. Enter the code your received and select Next. A window opens indicating Success and showing your Default sign-in method. Select Done.
Skip this step if you were able to configure SSPR with your mobile phone number. Alternatively, you can set up a different method as shown on the bottom left of the window. If you choose to set up a different method, select I want to set up a different method, a pop-up window shows up, asking Which method would you like to use? From the drop-down, select your preferred method, Email, then select the Confirm button. Enter the email you would like to use then select Next. A new window opens indicating a code was sent to the email you entered. Access the email you entered to obtain the code. Enter the code your received and select Next. A window opens indicating Success and showing your Default sign-in method. Select Done.
You can now complete your sign-in. You should be on the Azure portal landing page. If you see that your sign-in time has expired, just reenter the password.
Sign out of the Azure portal and close your browser window.

Task 4 (Optional)

In this task you, as user Adele Vance, will go through the process of resetting your password

Open Microsoft Edge.
In the address bar, enter login.microsoftonline.com.
Sign in as Adele Vance, by entering your email AdeleV@WWLxZZZZ.onmicrosoft.com (where ZZZZZZ is your unique tenant ID provided by your lab hosting provider)and select the Next button. You may, instead, see a Pick an account window open, if so, select the account for Adele Vance.
From the Enter password window, select Forgot my password.
The Get back into your account window opens. Verify that the email for Adele Vance, AdeleV@WWLxZZZZ.onmicrosoft.com, is shown in the email or username box. If not, enter it.
In the empty box, enter the characters displayed in image or the words from the audio. Once you’ve entered them, select Next.
The screen shows Get back into your account and shows Verification step 1 > choose a new password. Leave the default setting Text my mobile phone. You’re prompted to enter your mobile phone number. Once you’ve entered it, select the Text button. If during the registration you selected email, the Get back into your account window will that indicate you’ll receive an email containing a verification code at your alternate email address. Select Email.
Enter the verification code then press Next.
In the next screen, you’re prompted to enter new password and confirm new password. Enter those now and select the Finish button.
You’ll see a message on the screen that your password has been reset. Select click here to sign in with your new password.
From the Pick an account information box, select AdeleV@WWLxZZZZZZ.onmicrosoft.com, enter your new password, then select the Sign in button. If you’re prompted to Stay signed in. select No.
You should now be in the Office portal.
Sign out by selecting on the user icon next to the email address on the top right corner of the screen and selecting Sign out. Then the close all the browser windows

Task 5 (Optional)

In this task you, as the administrator, will briefly view the Audit logs and the Usage & insights data associated with password reset

Open Microsoft Edge.
In the address bar, enter portal.azure.com
Sign in with your admin credentials.
1. In the Sign-in window, enter admin@WWLxZZZZZZ.onmicrosoft.com (where ZZZZZZ is your unique tenant ID provided by your lab hosting provider) then select Next.
2. Enter the admin password that should be provided by your lab hosting provider. Select Sign in.
3. When prompted to stay signed- in, select Yes.
Select Azure Active Directory.
From the left navigation pane, select Password reset.
From the left navigation pane, select Audit logs. Notice the information available and the available filters. Also note that you can download logs.
Select Download. Note that you can format the download as CSV or JSON. Close the window by selecting the X on the top right corner of the screen.
From the left navigation pane, select Usage & insights.
Notice the information available that pertains to Registration. Note that it may take time to refresh this data, even after you do a refresh, so it may not yet reflect the registration or usage data from the previous task.
From the top of the page select Usage to view the number of Self-service password resets and account unlocks by method. Note that it may take time to refresh this data, even after you do a refresh, so it may not yet reflect the usage data from the previous task.
Close the open browser tabs.

Review

In this lab, you, as an admin, went through the process of enabling self-service password reset. With SSPR enabled, you’ll then assume the role of a user to go through the process of registering for SSPR and also resetting your password. Lastly, you as the admin, learn where to access audit logs and usage & insights data for SSPR.