Empowering your Users for self-service passwort reset right from a devices lockscreen

Today i am going to tell you how you can enable Self-Service Password Reset for Azure AD Accounts directly from the logon Screen of your Windows Client. To enable this feature we need to configure an Policy in Microsoft Intune. Microsoft recently added this in the settings catalog. Previously you needed to configure this manually as an OMA-URI Policy.

The legacy OMA-URI configuration was configured with this settings:

Name: Windows SSPR
Description:
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Authentication/AllowAadPasswordReset
Data type: Integer
Value: 1

The new way is based on the settings catalog and can be configured like this:

The first step is to configure the profile name:

Now we need to click on „+ Add settings“:

Search for „Allow Aad Password Reset“ on the right side and the select the option:

Now switch the slider to „Allow“ to enable the feature:

Finish and Assign the profile to a group of clients.

After the profile has been assigned to your clients you will see „Reset password“ next to the logon screen. Here you can use the Azure AD SSPR feature right from the logon screen in case that you forgot the password.