SSPR (Self Service Password Reset), SSPC (Self-service password change) and MFA (Multi-Factor Authentication) are all features of AAD (Azure AD).

Both MFA and SSPC are part of Azure AD Premium P1 & P2 editions as explained here.

SSPR however requires Azure AD Premium or Basic explained here.

First things first, follow the requirements listed here for AD Connect. You then need to make sure all the password reset stuff is all setup in Azure AD.

To get to the Azure AD portal, logon to https://manage.windowsazure.com/@trusbron.com notice the domain at the end? Change this domain with yours. Even if you don’t have an Azure subscription assigned to your logon name, you’ll still get in.

There is two types of password changing, there’s Change Passwords and Reset Passwords.

Self-service password change (Changing Passwords)

Self-service password change allows end users or administrators to change their expired or non-expired passwords without calling an administrator or helpdesk for support.

Or they can change passwords ad-hoc whenever they wish to, normally when their account is close to expiry. Users can change passwords by going to settings in an Office 365 web application.

 

Some users might get some errors when they change passwords.

“Your organization doesn’t allow you to change your password on this site. Please change your password according to the method recommended by your organization, or ask your admin if you need help.”

This error could be caused by the simple fact that the user doesn’t access to SSPR and have a license assigned to them for AAD Premium in order to change passwords.

Self-service password reset (Reset Passwords)

Self-service password reset allows end users or administrators to reset their passwords automatically without calling an administrator or helpdesk for support. Self-service password reset requires Azure AD Premium or Basic.

The term reset password refers to when you forget your password completely and need to use other security questions to regain access to your account.

As an admin, you must setup security authentication methods for reset password changes to work. To get to the Azure AD portal, logon to https://manage.windowsazure.com/@trusbron.com notice the domain at the end? Change this domain with yours.

“Before users can reset their passwords, they must first have at least one authentication method defined.”

Each user needs to setup their own verification questions e.g. email address, security questions or mobile phone number – these can be setup here http://aka.ms/ssprsetup.

Some user might get an error upon resetting their password.

“Your request could not be processed – We’re sorry, but we cannot reset your password at this time. Unfortunately, this is due to an unrecoverable issue with your account configuration, so trying again won’t work. Please contact your admin to reset your password for you.”

This is most likely the fact that the MA (Management Agent) Service account used by AD Connect doesn’t have the necessary permissions with on-prem AD to Reset Password & Change Password.

Open the Microsoft Azure AD Connect Synchronisation Service Manager – C:\Program Files\Microsoft Azure AD Sync\UIShell\miisclient.exe

Go to properties of Active Directory Domain Services.

Click below Alternate credentials for this directory partition to display the MA Service Account.

Then run the following PowerShell on a domain controller to set the correct permissions for the MA service account.

Add-WindowsFeature RSAT-AD-PowerShell
Import-module ActiveDirectory

$DN = "DC=trusbron,DC=corp"
$MAAccount = "trusbron\MSOL_a68065226cfb"
 
# Switches used in cmds http://technet.microsoft.com/en-us/library/cc771151.aspx 
# /I:S = Specifies the objects to which you are applying the permissions.
# 'S' - The child objects only 
# /G = Grants the permissions that you specify to the user or group 
# CA = Control access If you do not specify {ObjectType | Property} to define the specific extended right for control access, 
 # this permission applies to all meaningful control accesses on the object; otherwise, 
 # it applies only to the specific extended right for that object.
 
###---Update Attributes
 
#Object type: user
 
$cmd = "dsacls '$DN' /I:S /G '`"$MAAccount`":CA;`"Reset Password`";user'"
Invoke-Expression $cmd
$cmd = "dsacls '$DN' /I:S /G '`"$MAAccount`":CA;`"Change Password`";user'"
Invoke-Expression $cmd
$cmd = "dsacls '$DN' /I:S /G '`"$MAAccount`":WP;pwdLastSet;user'"
Invoke-Expression $cmd
$cmd = "dsacls '$DN' /I:S /G '`"$MAAccount`":WP;lockoutTime;user'"
Invoke-Expression $cmd

Full permissions required for password resets can be found here. Please note, password resets don’t work and would fail for privileged AD accounts. See this article for what I am referring to in relation to privileged accounts https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/plan/security-best-practices/appendix-c–protected-accounts-and-groups-in-active-directory   For password resets to work for any user with a privileged user account, you need to tick the box on the privileged user object itself in AD for ‘inherit security permissions‘ for the actual user account itself. However the SDProp service will reset security back in line with AdminSDHolder object.

MFA (Multi-Factor Authentication)

This will turn on MFA (Multi-Factor Authentication) at the AAD level which means it will affect signing into both Azure & Office 365 using an AAD account. To activate MFA for all your AAD users, navigate to the multi-factor authentication user management portal  From here you can turn on MFA for all users of specific sets of users.

Once you enable MFA, the next time the user logs into an AAD web app, e.g. Azure or Office 365 https://outlook.office365.com they will be prompted to setup MFA. If your users do not regularly sign in through the browser, you can send them to this link to register for multi-factor auth: https://aka.ms/MFASetup.

Encourage users to setup MFA using the settings on the screenshot below:

The user should download and install the Microsoft Authenticator from their app store on their phone, the settings above will send a push notification through to their phone as the second factor in order to sign in.