Enable password reset from the login screen

This week is about something similar as last week. This week is all about the password reset option on the login screen. In other words, the Reset password option. Starting with Windows 10, version 1709, it’s possible to enable the Reset password option from the login screen for Azure AD joined devices. I know that a lot has been written already about this subject, but I have the feeling that this subject needs a place on my blog. My style and more details. In this post I’ll provide a short introduction about Azure AD self-service password reset (SSPR), followed by walking through the required configurations for SSPR and the Reset password option. I’ll end this post by looking at the end-user experience.


Now let’s start this post with an introduction about Azure AD SSPR. With SSPR users can reset their passwords on their own when and where they need to. At the same time, administrators can control how a user’s password gets reset. That means that the user no longer needs to call a help desk just to reset their password. SSPR includes (the focus of this post is number 2):

  1. Self-service password change: The user knows their password but wants to change it to something new;
  2. Self-service password reset: The user is unable to sign in and wants to reset their password by using one or more of the following validated authentication methods:
    • Send a text message to a validated mobile phone;
    • Make a phone call to a validated mobile or office phone;
    • Send an email to a validated secondary email account;
    • Answer their security questions.
  3. Self-service account unlock: The user is unable to sign in with their password and has been locked out. The user wants to unlock their account without administrator intervention by using their authentication methods.


Let’s continue by having a look at the required configuration, to enable the Reset password option from the login screen. As the configuration of the actual settings requires SSPR to be enabled, I divided the configuration into two steps. The first step is to enable SSPR and the second step is to configure the Reset password option.

Step 1a: Enable SSPR

The first step is to enable SSPR, as it’s the starting point for enabling the Reset password option from the login screen. Without SSPR enabled, and still configuring the Reset password option, the user will receive a message that SSPR is not enabled for the user and that the user should contact the administrator. The following seven steps walk through the relatively simple configuration to enable SSPR.

1 Open the Azure portal and navigate to Azure Active Directory > Password reset;

AAD_PR_PropertiesOn the Password reset – Properties blade, select All and click Save;


AAD_PR_AuthOn the Password reset – Authentication methods blade, select the number of required methods to reset and the available methods to user and click Save;

Note: Make sure that you have at least as many methods available to users as you have required to reset.


AAD_PR_RegistrationOn the Password reset – Registration blade, configure whether or not to require users to register when signing in and click Save;


AAD_PR_NotificationsOn the Password reset – Notifications blade, configure the notification settings and click Save;


AAD_PR_CustomizationsOn the Password reset – Customization blade, configure the customization settings and click Save;


AAD_PR_OnPremOn the Password reset – On-premises integration blade, and configure the password write back configuration and click Save;

Note: This is required when using an on-premises directory and also requires the configuration of step 1b.

Step 1b: (Optional) Configure password writeback

Another part of the first step is the optional configuration of password writeback. This should be configured to write the passwords from Azure AD back to the on-premises directory. To achieve this, use the following seven steps to reconfigure Azure AD Connect.

1 On the Azure AD Connect server, start Azure AD Connect to open the Microsoft Azure Active Directory Connect wizard;
2 On the Welcome page, click Configure;
3 On the Additional tasks page, select Customize synchronization options and click Next;
4 On the Connect to Azure AD page, provide the required credentials and click Next;
5 On the Connect Directories page, click Next;
6 On the Domain/OU Filtering page, click Next;

MAADC_OptionalFeaturesOn the Optional Features page, select Password writeback and click Next;

Note: I’ve also got Device writeback configured, which causes the next page to appear.

8 (Optional) On the Writeback page, click Next;
9 On the Configure page, click Configure and once completed click Exit;

Step 2: Enable Reset password option

The second step is to configure the required setting to enable the Reset password option from the login screen. In other words, the second step is to configure a device configuration profile with at least a custom OMA-URI setting. The required setting is part of the Authentication node of the Policy CSP. It’s the AllowAadPasswordReset policy. That policy allows administrators to enable the self-service password reset feature on the windows logon screen. An integer value of 0 means not enabled and an integer value of 1 means enabled.

The following three steps walk through the creation of a new device configuration profile, including the required OMA-URI setting. After that simply assign the created profile to a user group.

1 Open the Azure portal and navigate to Intune > Device configuration > Profiles;
2 On the Devices configuration – Profiles blade, click Create profile to open the Create profile blade;

On the Create profile blade, provide the following information and click Create;

  • Name: Provide a valid name;
  • Description: (Optional) Provide a description;
  • Platform: Select Windows 10 and later;
  • Profile type: Select Custom;
  • Settings: See step 3b.

MSI_AllowPasswordResetOn the Custom OMA-URI Settings blade, provide the following information and click Add to open the Add row blade. On the Add row blade, provide the following information and click OK (and click OK in the Custom OMA-URI blade);

  • Name: Provide a valid name; 
  • Description: (Optional) Provide a description;
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Authentication/AllowAadPasswordReset;
  • Data type: Select Integer;
  • Value: 1.

Note: For testing purposes it’s also possible to configure the Reset password option by using the HKLM\SOFTWARE\Policies\Microsoft\AzureADAccount registry key with the value, type and data of AllowPasswordReset, REG_DWORD and 1.

End-user experience

Now let’s end this post by walking through the end-user experience. On the login screen a new option is available when selecting password as the sign-in option, the Reset password option.


When the user selects Reset password, the user will be redirected to the Azure AD self-service password reset service.


The User ID is already prepopulated and when the user clicks on Next, the user should choose a verification method. In my case a text to my mobile phone.


When the user provides the correct mobile phone number and clicks on Next, the user must provide the actual verification code of the text message.


When the user provides the correct verification code and clicks on Next, the user must provide a new password.


When the user provides a new password and clicks Next, the user will be provided with the message that the password has been reset. When the user than clicks on Finish, the user will be redirected to the login screen.


More information

For more information about SSPR, Windows 10 and the Reset password option, please refer to the following articles:

27 thoughts on “Enable password reset from the login screen”

  1. Hi! Is there a way to redirect to a custom Password Reset Portal? My organization does not use AAD for password reset, but we have Azure AD Premium. We want to redirect to a custom URL though… thanks! JJ

  2. Dont forget if you used Custom AD Connect installation with a service account, you need to set permissions for this account. Change Password,Reset Password,Write Lockout,Write PwdLastSet

  3. Hi Peter

    Nice blog post, as usual from you!

    We have some issue regarding this function. Our customer has the following update scenario from 1511 to 1607 and further to 1703. This ‘reset password’ option is not even appear on the login screen!

    MSFT support answer: “We have been continuously working and researching with our TA’s on this issue but as we currently are not able to replicate the issue at our end we are unable to provide a definite resolution.
    We have involved the Directory services team in this regard for which you might receive calls from various tech engineers.”

    Did you already have this symptom? What would you recommend us?

    Thanks for your kindly answer & greetings from Switzerland, Ákos

  4. Sir Peter, thanks but what is the meaning of ‘device wide’ in this case? With /device we assign to device group is this different when leaving out the /device ? i simply dont understand.

  5. Hi Gerem,
    Correct. Starting with Windows 10, version 1803, it should be supported for hybrid Azure AD joined devices. Haven’t tested that myself yet. What problems are you running into? And what does your setup look like?
    Regards, Peter

  6. Hi Peter,

    Thanks for the article :
    I have question, how do enforce password change on device enrollment for a new user who has never reset his password ?

    1. We have new users who would be issued new laptops (MS AutoPilot) and these users enroll into these Laptop with their Azure AD accounts.
    2. In this process, device would be joined to Azure AD, followed by Intune enrolment.
    3. The plan is to create these users in on-premise AD and sync them to Azure AD.
    4. The expectation now is to enforce password change, since this is users first login.

    In General, How do we force password change for new/first time user who is using Azure services like Office365 webportal or Intune who gets authenticated on Azure AD ?? And if these AAD accounts are synced from on-prem AD ?

    What I’ve heard so far is , selecting “change password at next logon” on On-prem AD, and then sync those accounts up to Azure AD using AD Connect is not a possibility ? As the sync would fail because these are temp passwords.

    For synced AAD users is there a way for users to be prompted to change their password on the O365 web portal and then write those changes back to the on-premise AD ?

  7. Hello, I ran into the following issue in a LAB, if you have and advise/suggestions please let me know, thanks

    I have up Azure SSPR from the logon screen, by setting the following registry key via a group policy preference (as I could not see a builtin GPO setting, if there is a GPO please let me know its path)


    This works fine as long as the user does not reboot the computer. If the computer is rebooted the “reset password” link does not appear on the logon screen. If the user then performs a logon and logoff, then a logon again the “reset password” does appear.

    So in summary it works fine unless the user reboots, as the ‘reset password’ link is always missing at the first logon following a reboot of the computer.

    I should mention I am using a LAB environment (Hyper-V) when a Windows 10 VM (which in effect means I am RDP into the VM) is that the issue? as I do not have a physical computer to test with at the moment. However as stated above the ‘reset password’ link does appear following a logoff without a reboot.


  8. Hi Peter,

    I noticed that the ‘8-16 characters; case sensitive; one number or symbol’ message in the create new password dialog is hard-coded by Microsoft. This can be misleading if you have an AD DS password policy that requires – for example – more than 8 characters.

    Any idea if this will be fixed by Microsoft?



  9. Regarding my previous comment: Microsoft has acknowledged the hard-coded password policy message in the SSPR dialog to be an issue and is working on a fix: ttps://feedback.azure.com/forums/169401-azure-active-directory/suggestions/36320743-ability-to-to-remove-or-customise-the-default-mess

  10. hi Peter,

    The password change in a Hybrid joined laptop scenario the user is able to change the password via above SSPR method but that does not save/cache the password on that laptop and so had to use old password to login ..
    any Idea what we can do here.
    Also in a Hybrid (Company on-prem domain + AAD joined) setup do we need to have different policies matching on-prem gpo in Intune ?

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.