Enable self-service password reset

Self-service password reset (SSPR) in Microsoft Entra ID for customers gives customers the ability to change or reset their password, with no administrator or help desk involvement. If a customer's account is locked or they forget their password, they can follow prompts to unblock themselves and get back to work. This demo shows how to enable (SSPR) in Microsoft Entra external ID for customers.

Prerequisites

Before you start make sure you have configured the following:
  1. Create a tenant and add admin accounts
  2. Register a web application
  3. Create a user flow

To enable self-service password reset, first make sure that the sign-up user flow registers Email with password as an authentication method. Sign in to the Microsoft Entra admin center and browse to External Identities > User flows. Then, select the user flow that you want to check.

In the user flow, select Identity providers. Then, under Email Accounts, make sure that the sign-up user flow registers Email with password as an authentication method.

The self-service password uses the email one-time passcode (Email OTP) authentication. In the next steps you enable Email OTP authentication method for all users in your tenant. Browse to Identity > Protection > Authentication methods. Under Policies > Method, select Email OTP.

Under Enable and Target enable Email OTP and under Include, select All users. Then, select Save to enable the email OTP authentication method.

Enable the password reset link

If the Forgot password? link doesn't appear, you should enable the password reset link. Browse to Identity > User experience > Company Branding If you can't find it in the menu, select Show more....

On the Default sign-in, or Browser language customizations (if you configured per language customizations) tab select Edit.

Selec the Sign-in form tab.

Scroll to the Self-service password reset section and select Show self-service password reset. Finally, select Review + save and Save your changes.

Enable Email OTP authentication method

The following Graph enables email OTP authentication method for all users in your tenant.

PATCH https://graph.microsoft.com/v1.0/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/email
{
    "state": "enabled",
    "allowExternalIdToUseEmailOtp": "default",
    "excludeTargets": [],
    "includeTargets": [
        {
            "targetType": "group",
            "id": "all_users",
            "isRegistrationRequired": false
        }
    ]
}