O365 Admin

How to Set Up SSPR in Entra ID

Published 24 October 2025 · 7 min read

Self-Service Password Reset (SSPR) lets users reset their own Entra ID passwords without contacting IT. It is one of the highest-impact, lowest-effort changes you can make in a Microsoft 365 environment - cutting helpdesk tickets and getting locked-out users back up faster.

Contents
  1. How SSPR works
  2. Prerequisites and licensing
  3. Enable SSPR
  4. Authentication methods
  5. Registration campaign
  6. Writeback for on-premises AD
  7. Testing SSPR

How SSPR works

When a user forgets their password or gets locked out, they visit aka.ms/sspr and verify their identity using pre-registered methods (authenticator app, phone, email). Entra ID then lets them set a new password without IT involvement. For hybrid environments, password writeback syncs the new password back to on-premises AD automatically.

Prerequisites and licensing

Enable SSPR

Entra ID portal → Password reset → Properties
⚙️
SSPR Properties
Self service password reset enabledStart with Selected for a pilot group first
All
Number of methods required to reset2 methods is the recommended baseline
2

Authentication methods

Password reset → Authentication methods
⚙️
Recommended methods
Microsoft Authenticator appMost secure and convenient
Enabled
Mobile phone (SMS)Good fallback for users without smartphones
Enabled
Email addressPersonal email as last resort - not corporate email
Enabled
Security questionsAnswers are often guessable
Disabled

Registration campaign

Enable Require users to register when signing in under Password reset → Registration. Set days before re-confirmation to 180. This prompts users to register at next sign-in automatically.

💡
Use combined registration
Enable the combined security information registration experience so users register for both MFA and SSPR in one flow - Entra ID → User settings → Manage user feature settings.

Writeback for on-premises AD

If users are synced from on-premises AD, enable password writeback in Entra Connect: Optional features → Password writeback. Then enable in Entra ID: Password reset → On-premises integration → Write back passwords → Yes.

Testing SSPR

Test with a pilot user account before rolling out. Visit aka.ms/sspr in a private browser, enter the user's email, and verify the reset flow works end to end. Confirm the new password syncs to on-premises AD within 2-3 minutes if writeback is enabled.

Frequently Asked Questions

Q: What licence does SSPR require?

SSPR requires Entra ID P1 or P2. This is included in Microsoft 365 Business Premium, E3, and E5. It is not available in Business Basic or Standard.

Q: Can users use SSPR if they have not registered?

No. Users must register at least the required number of authentication methods before SSPR will work. Enable the registration campaign so users are prompted at sign-in.

Q: Does SSPR work for on-premises AD accounts?

Yes, with password writeback enabled in Entra Connect. The reset is written back to on-premises AD automatically, usually within seconds.

Q: What URL do users go to for SSPR?

Users visit aka.ms/sspr or passwordreset.microsoftonline.com.

Related Guides
-> Conditional Access-> Passwordless Auth-> Why MFA Matters
// need intune set up properly?
Fixed-price Intune setup for UK businesses

App deployment, compliance policies, Conditional Access, and full documentation at a fixed price.

View Packages