Home

Azure AD self-service password reset - Group (SSPR)?

%3CLINGO-SUB%20id%3D%22lingo-sub-167095%22%20slang%3D%22en-US%22%3EAzure%20AD%20self-service%20password%20reset%20-%20Group%20(SSPR)%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-167095%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20Do%20anyone%20know%20what%20kind%20of%20group(s)%26nbsp%3Bare%20valid%20here.%20Synced%20Universal%2FGlobal%20Security%20Group%20seems%20to%20work%20but%20how%20about%20subgroups%20or%20Azure%20Dynamic%20Secure%20group%3F%3C%2FP%3E%0A%3CP%3EDocumentation%20of%20SSPR%26nbsp%3Bsaid%20%22Only%20members%20of%20a%20specific%20Azure%20AD%20group%20that%20you%20choose%20can%20use%20the%20SSPR%20functionality%22%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-167095%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-390793%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20self-service%20password%20reset%20-%20Group%20(SSPR)%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-390793%22%20slang%3D%22en-US%22%3E%3CP%3EFor%20some%20reason%20I'm%20not%20able%20to%20reply%20to%20the%20private%20message%20I%20got%20asking%20how%20we%20did%20this%20so%20will%20post%20here%20%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20Dave%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESure%20no%20worries.%20We%20use%20a%20dynamic%20security%20cloud%20only%20group.%20And%20then%20configured%20the%20advanced%20rule%20with%20the%20below.%20Once%20it%20was%20populating%20correctly%20we%20just%20assigned%20that%20user%20group%20permissions%20to%20do%20SSPR%20which%20would%20write%20back%20to%20our%20local%20AD.%20When%20we%20designed%20it%20this%20way%20it%20means%20we%20don't%20have%20to%20keep%20ontop%20of%20populating%20the%20security%20group%20who%20can%20do%20SSPR%2C%20as%20soon%20as%20one%20of%20our%20users%20are%20assigned%20the%20EMS%20licence%2C%20they%20become%20a%20member%20of%20the%20group%20and%20have%20permissions%20for%20SSPR%20%2F%20Writeback%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20was%20the%20code%20for%20the%20advanced%20rule%20scope%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3Euser.assignedPlans%20-any%20(assignedPlan.servicePlanId%20-eq%20%22c1ec4a95-1f05-45b3-a911-aa3fa01094f5%22%20-and%20assignedPlan.capabilityStatus%20-eq%20%22Enabled%22)%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20this%20helps.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-390744%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20self-service%20password%20reset%20-%20Group%20(SSPR)%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-390744%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20took%20the%20approach%20of%20using%20a%20dynamic%20security%20group%2C%20with%20the%20members%20populated%20based%20on%20the%20fact%20a%20user%20had%20a%20EMS%20licence%20assigned%20(licence%20requirement%20for%20SSPR%20with%20AD%20writeback)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-390733%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20self-service%20password%20reset%20-%20Group%20(SSPR)%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-390733%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F889%22%20target%3D%22_blank%22%3E%40Pablo%20R.%20Ortiz%3C%2FA%3EThe%20problem%20is%20you%20can%20only%20select%20ONE%20group%20%3A(%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-167101%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20self-service%20password%20reset%20-%20Group%20(SSPR)%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-167101%22%20slang%3D%22en-US%22%3E%3CP%3EAny%20Group%20in%20Azure%20AD.%20This%20also%20applies%20to%20Dynamic%20Groups%2C%20because%20the%20dynamic%20property%20applies%20to%20the%20membership%20type%2C%20not%20the%20Group%20itself.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20you%20go%20to%20Azure%20%26gt%3B%20Password%20Reset%20you%20see%20three%20options%3A%20None%2C%20Selected%2C%20and%20All.%20With%20All%20you%20enable%20SSPR%20for%20all%20users%2C%20but%20with%20Selected%20you%20can%20select%20specific%20groups%20from%20your%20AAD%20directory.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-passwords-best-practices%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-passwords-best-practices%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Markku Jaala
Regular Visitor

Hi, Do anyone know what kind of group(s) are valid here. Synced Universal/Global Security Group seems to work but how about subgroups or Azure Dynamic Secure group?

Documentation of SSPR said "Only members of a specific Azure AD group that you choose can use the SSPR functionality"

4 Replies

Any Group in Azure AD. This also applies to Dynamic Groups, because the dynamic property applies to the membership type, not the Group itself. 

When you go to Azure > Password Reset you see three options: None, Selected, and All. With All you enable SSPR for all users, but with Selected you can select specific groups from your AAD directory.

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-best-practices

 

@Pablo R. OrtizThe problem is you can only select ONE group :(

We took the approach of using a dynamic security group, with the members populated based on the fact a user had a EMS licence assigned (licence requirement for SSPR with AD writeback)

 

 

For some reason I'm not able to reply to the private message I got asking how we did this so will post here :

 

Hi Dave, 

 

Sure no worries. We use a dynamic security cloud only group. And then configured the advanced rule with the below. Once it was populating correctly we just assigned that user group permissions to do SSPR which would write back to our local AD. When we designed it this way it means we don't have to keep ontop of populating the security group who can do SSPR, as soon as one of our users are assigned the EMS licence, they become a member of the group and have permissions for SSPR / Writeback :)

 

This was the code for the advanced rule scope:

 

user.assignedPlans -any (assignedPlan.servicePlanId -eq "c1ec4a95-1f05-45b3-a911-aa3fa01094f5" -and assignedPlan.capabilityStatus -eq "Enabled")

 

Hope this helps. 

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies