Enable self-service password reset

Applies to: External tenants (learn more)

Self-service password reset (SSPR) in Microsoft Entra External ID gives customers the ability to change or reset their password, with no administrator or help desk involvement. If a customer's account is locked or they forget their password, they can follow prompts to unblock themselves and get back to work.

How the password reset process works

Self-service password reset (SSPR) supports two authentication methods: email one-time passcode (Email OTP) and SMS. When SSPR is enabled, users who forget their password can verify their identity using either Email OTP or SMS. With one-time passcode authentication, a passcode is sent by email or SMS. After entering the passcode, the user is prompted to create a new password.

The process works as follows:

1. From the app, the user selects Sign in.
2. On the sign-in page, they enter their email address and choose Next.
3. If the user forgot their password, they select Forgot password?.
4. The user is prompted to choose how to verify their identity. They can select a one-time passcode sent to their email or phone, based on the methods they registered.
5. A one-time passcode is sent to the email address they entered on the first page or to their registered phone number.
6. The user enters the passcode to continue.
7. After successfully verifying their identity, the user is prompted to create a new password.

Prerequisites

• If you haven't already created your own external tenant, create one now.
• Have at least the Security Administrator role.
• If you haven't already created a User flow, create one now.

Enable self-service password reset for customers

1. Sign in to the Microsoft Entra admin center.

2. If you have access to multiple tenants, use the Settings icon in the top menu to switch to the external tenant you created earlier from the Directories + subscriptions menu.

3. Browse to Entra ID > External Identities > User flows.

4. From the list of User flows, select the user flow you want to enable SSPR.

5. Make sure that the sign-up user flow registers Email with password as an authentication method under Identity providers.

   

Enable authentication method for password reset

To enable self-service password reset, configure the authentication method for all users or for a specific group in your tenant. Choose one of the following tabs to see the steps for each method.

Enable the password reset link (optional)

You can hide, show, or customize the self-service password reset link on the sign-in page.

1. In the search bar, type and select Company Branding.

2. Under Default sign-in select Edit.

3. On the Sign-in form tab, scroll to the Self-service password reset section and select Show self-service password reset.

   

4. Select Review + save and Save on the Review tab.

For more details, check out the Customize the neutral branding in your external tenant article.

Test self-service password reset

To go through the self-service password reset flow:

1. Open your application, and select Sign-in.

2. In the sign-in page, enter your Email address and select Next.

   

3. Select the Forgot password? link.

   

4. If SMS is available for self-service password reset, you can choose to receive a one-time passcode by email or phone. Enter the passcode sent to your email address or phone number.

5. Once you're authenticated, you're prompted to enter a new password. Provide a New password, and Confirm password, then select Reset password to sign in to your application.

   

Related content

• Add Google, Facebook, Apple, or a custom OIDC federation federation.