Forum Discussion
Azure AD self-service password reset - Group (SSPR)?
Any Group in Azure AD. This also applies to Dynamic Groups, because the dynamic property applies to the membership type, not the Group itself.
When you go to Azure > Password Reset you see three options: None, Selected, and All. With All you enable SSPR for all users, but with Selected you can select specific groups from your AAD directory.
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-best-practices
Pablo R. OrtizThe problem is you can only select ONE group :-(
We took the approach of using a dynamic security group, with the members populated based on the fact a user had a EMS licence assigned (licence requirement for SSPR with AD writeback)
For some reason I'm not able to reply to the private message I got asking how we did this so will post here :
Hi Dave,
Sure no worries. We use a dynamic security cloud only group. And then configured the advanced rule with the below. Once it was populating correctly we just assigned that user group permissions to do SSPR which would write back to our local AD. When we designed it this way it means we don't have to keep ontop of populating the security group who can do SSPR, as soon as one of our users are assigned the EMS licence, they become a member of the group and have permissions for SSPR / Writeback :)
This was the code for the advanced rule scope:
user.assignedPlans -any (assignedPlan.servicePlanId -eq "c1ec4a95-1f05-45b3-a911-aa3fa01094f5" -and assignedPlan.capabilityStatus -eq "Enabled")
Hope this helps.
