Tag Archives: Azure AD SSPR

#Azure AD : All about Azure Active Directory

IT has moved from Datacenter Era to the Cloud Era. Focus of the organizations have been changed from one specific set of vendors to the open world of technology. Since Datacenter came in inception, Identity has played a vital role and always been used to treat as a backbone of IT. Now in the new era of multi-cloud environment, Identity is playing a centric role that itself is a new beginning of Identity that has been extended from IT backbone to user-experience oriented.

Microsoft had played a key role in datacenter era by Windows Server Active Directory and now again playing a crucial role in multi-cloud environment by offering Azure Active Directory. Microsoft Azure Active Directory in not only a directory service but it is a complete cloud service that can fulfill all your identity and authorization needs. However, you may find there are couple of things related to identity that can’t be fulfilled by native AAD features but it is continuously evolving.

In this era, organizations don’t need SME for everything but they need design SME who has board understanding of complete end-to end solution stack starting from infrastructure technologies to application technologies.

I have written a series of blog posts on Microsoft Azure AD and these posts mainly focus on how to do it or you can say step-by-step guides backed by real-time scenarios.

Microsoft Azure Active Directory

Azure AD Connect

SSO to SaaS

Application Proxy

Multi-factor Authentication

Self-service Password Management

Self-service group management

Access Panel/My Apps

Dynamic groups membership

Pricing, Licensing and Support

Conditional Access

Custom domain names

Company branding

Cloud App Discovery

Group-based licensing

Identity Protection Part I

Identity Protection Part II

Identity Protection Part III

Privileged Identity Management Part I

Privileged Identity Management Part II

Privileged Identity Management Part III

Azure Active Directory Domain Services Part I

Azure Active Directory Domain Services Part II

Azure Active Directory Domain Services Part III

Azure Active Directory Domain Services Part IV

Device Management – Azure AD Registering

Device Management – Azure AD Join

B2B Collaboration

B2B Licensing


Error – SSPR_0029: We are unable to reset your password due to an error in your on-premises configuration.

Above series of blog posts have covered most of the areas of Azure Active Directory. You can bookmark this blog post for any Azure AD need, I’ll try my level best to add new Azure AD related posts in this series.


#AzureAD : Error – SSPR_0029: We are unable to reset your password due to an error in your on-premises configuration.

You may receive the following error if configured self-service password reset and right set of permissions are not applied to the account used for AAD connect. Generally, this occurs because of MSOL services account or any other account that had been used to configure AAD connect and don’t have required permission to reset or unlock the account.

To rectify this problem problem you need to make sure the used account has right set of permission to perform the account/password related activities. There are two ways of doing it, either assign Account Operaters role to this user or assign specific permissions to this user.

To set specific permissions, Go to your Windows Server Active Directory and open Active Directory Users and Computers.

Enbale the Advanced Features from View.

Right click on root domain and go to the properties and then go to security tab.

Go to the Advanced ad then click on Add.

Click on Select a principal and then select a service/user account.

In the applies to section, select the descendant user objects.

Under the permission and properties, assign following permissions.

  • Reset password
  • Change password
  • Write lockoutTime
  • Write pwdLastSet

Click on Apply and OK.

Now, you are done with the configuration. Ask your user to try once again to reset his/her password.

He/She should be able to reset his/her password successfully.

#Azure AD : Self-service Password Management

Azure AD provides self-service capabilities for Password management. This built-in capability of Azure AD not only reduce the number of helpdesk tickets but at the same time it enhances the productivity of the user by saving time and efforts put in requesting for the password reset or account unlock. Azure AD self-service password reset capability also known as SSPR. Azure AD SSPR provides different set of capabilities with different edition of Azure AD.

Azure AD Free: Supports SSPR for Cloud-only administrators.

Azure AD Basic: Supports SSPR for Cloud-only users.

Azure AD Premium: Supports SSPS for all the users including cloud users, on-premises users with password sync and federated users but the password write-back must be enabled for on-premises users.

Azure AD SSPR simplifies the password management in following scenarios:

Forgot Password: This is a common issue among the users. If user forgot his password and wants to rest the password then he must go through one of the validates authentication methods:

  • By phone call to validated mobile phone
  • By text message to validated mobile phone
  • By email to validated secondary email account
  • By answering security questions

Change password: If any time users wants to change his/her password for any reason, they can change their password but they should remember their current password.

Unlock account: This is another common issue among the users. If your account has been locked and you are unable to login, use this method to unlock your account with valid authentication methods.

Now, let’s have a look how to do it.

First, login to Azure AD to configure Azure AD for SSPR.

Go to the Password reset and select the appropriate SSPR option. Either you can select the group for SSPR or select all for all the users.

If you want to SSPR for all the users then select All and then save the configuration.

In my scenario, I am selecting Selected for specific groups.

I have selected a group called SSPR here to provide SSPR capability to the users.

Now select the Authentication method.

I am selecting all the methods. If you select “security questions” option then you need to set the security question. Click on “Select security questions”

You can select the security question from Predefined and Custom options.

In my case, I am selecting 5 predefined security questions.

Select all the questions and click on OK.

Once configured all the authentication methods, click on Save.

Now, it is time to configure the end user setting.

Ask your users to login to the https://portal.azure.com and configure their accounts with additional security.

Select the required options and set them now.

Select the questions from drop down menu.

Answer these questions and click on save answers.

Once done, click on finish.

Login to your Azure services. I am trying to login to the https://myapps.microsoft.com . Enter your user name and click on Next.

Click on “Forgot my password”

Fill the details and click on Next

Answer your security questions for verification and click on Next.

Now, enter your new password and click on Finish.

Your password has been reset, Now, login with your new password and enjoy!