Enabling self-service password for end users take a huge burden off of the shoulders of the help desk. In this demonstration, we will enable self-service password reset, and test that it's working with a test account. Before enabling self-service password reset, make sure that password writeback is turned on in Azure AD Connect. To do this, launch Azure AD Connect on the server running it. Click configure and then view the current configuration. If its disabled, relaunch Azure AD Connect, click configure, and then select customize synchronization options. Provide the global admin account to connect to Azure AD. Click next to leave the directories and domain and ou filtering options unchanged. Under optional features, check the password writeback box and click Next. Click Configure to update the configuration and then click Exit. After turning on password writeback, switch over to the Azure portal and then browse to Azure active directory. From here, click Password Reset. For this demonstration, I'm going to enable password reset for all of my users so I'm going to click All, and then save. After enabling password reset, click on Authentication methods and select the authentication methods you wish to make available, along with how many are required to set a password. 

This is obviously going to be different for every environment. If you select the security questions option, you'll be presented with more info to supply. We aren't using security questions here, so I'll turn this off. For this demonstration, I'm going to make mobile phone available as the only option. After clicking Save, I'm going to click on registration. I'm asked if I want to require users to register when signing in. I'm going to leave the default value set to yes. I'm also going to leave the window set to the default of 180 days. Clicking notifications allows me to set the notification options for when a user resets a password. I'm going to set both options here to yes. this ensures users receive a notification when they reset their passwords, but it also ensures that all administrators are notified when another administrator resets his password. In the customization pane, I can provide a customized helpdesk link for users to visit if they need assistance. I don't have helpdesk here in the lab, so I'm going to leave this off for this demonstration. When I click on the on-premises integration link, Azure confirms that the on-prem writeback client is running and allows me to determine if I want passwords to writeback to on-prem AD. I need to leave this set to yes. The second option designates whether or not users should be given the option to unlock their accounts without resetting their passwords. 

I'm going to leave this set to no for this demonstration. With password reset enabled, we can now test it. To test self-service password reset, open an incognito browser window and launch the single sign on setup process with a test account. In my case here, we previously enabled MFA so let me get through the authentication process here first. As you can see here, I'm prompted to to work through the process of setting up self service password reset for my account. Once I've completed the self service password reset setup, I'm presented with my application dashboard. To reset my password, I need to open the password reset URL in my browser. The password reset URL is https://aka.ms/sspr. On the next screen, I'm prompted to begin the reset process. I just have to provide my user ID and I need to complete the captcha. Clicking Next takes me to the verification screen, where I can request a code via mobile phone. After I click the Text button, I receive a code on my phone that I need to enter. After providing my verification code and clicking Next, I'm then prompted to create a new password. Clicking Finish completes the process.