Reduce Help Desk Calls with Self-Service Password Reset

Forgotten passwords are a key driver of Help desk calls for many organizations. They are also a major cost factor. Our customers estimate their cost for a password reset call anywhere from $25 to $50 a call, not including the cost of lost productivity for the end user. When you multiply this by hundreds, thousands, or tens of thousands of calls in a year, the cost is substantial.

Self-Service Password Reset with Entra ID (formerly Azure Active Directory)

Entra ID Premium includes a Self-Service Password Reset (SSPR) solution that is completely hosted in the cloud and accessible from anywhere, including on mobile devices. When an end user resets his or her password with Entra ID, your on-premises password policy is enforced and the user’s password is written back to your on-premises AD domain in real time. In addition, Entra SSPR can be used to let users unlock their accounts.

To roll out SSPR, you must provide your users with one or more ways to validate their identity when they forget their password. Entra ID supports four different methods that you can choose from:

  1. Mobile phone (text message or voice call)
  2. Office phone (voice call)
  3. Alternate email address (e.g., a personal email address)
  4. Security questions

The SSPR setup interface when all of these options are enabled is shown below.

Self-Service Password Reset Registration

You’ll need to determine which methods make the most sense for your business from both a workflow perspective and a security/risk perspective. We usually recommend mobile phone as a starting point, but sometimes security questions are also the right path.

Security questions tend to not be the most secure way to validate a user’s identity. However, if you have a large workforce that might not have access to cell phones, or if you have concerns about asking employees to incur the cost of receiving text messages/voice calls, security questions might be the best option. Security questions are also a valuable alternative if you have scenarios in which your employees won’t have access to their cell phones (e.g., manufacturing floors or secure locations). You can allow users to choose from multiple options, so you should provide choices that make the most sense for your organization.

Enforcing Compliance

SSPR solutions are only as valuable as your registration data. If only 25% of your users are enrolled for SSPR, you’ll never see the reduction in Help desk calls that you want. Ensuring that you have 100% compliance is key to a successful SSPR project. Entra ID provides a mechanism to ensure that your users register for SSPR the next time they log in to Office 365 or another application that is federated with Entra ID.

When you enable this option, users will see the prompt shown below the next time they sign in.

SSPR Forced Registration

It’s also a good idea to make sure the verification methods your users provide (e.g., their mobile phone number or security question answers) continue to be valid. You can tell Entra ID to periodically ask users to re-confirm their details. We usually recommend enabling this capability to ensure ongoing SSPR registration compliance.

Are You Ready for Self-Service Password Reset?

The technical details of an SSPR project aren’t complicated. You’ll need to make sure you’re on a current version of Entra ID Connect, that you have the appropriate Entra ID Premium (or Enterprise Mobility + Security) licenses assigned to end users, and that the SSPR feature itself is configured.

The most important thing to focus on is your rollout and communication plan. Identifying which verification method(s) you’ll use requires a great deal of coordination between stakeholders in the business. You’ll also need to communicate the SSPR rollout to your end users so they’re prepared and aware of the new capability. Finally, you’ll need to ensure that your Help desk is ready and that your IT staff’s processes have been updated. The last thing you want is to continue letting your Help desk staff reset passwords rather than directing users to the new SSPR location.

Do you have questions on how to best deploy SSPR in your organization? We have experience enabling SSPR across organizations large and small. Learn more about how we implement Entra ID features such as SSPR.


6 Tips to Harden Your Windows LAPS Deployment

In a previous blog post, we covered how to migrate to Windows Local Administrator Password Solution (LAPS). With Windows LAPS deployments gaining traction, it’s important

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.