Self-service password reset can be a useful feature that allows users to access their account in case they forget their password.

On the other hand, it is potentially risky, as a potential attacker may target the self-service password reset feature to gain access to the account. Especially for privileged accounts, this is very risky and therefore I would generally recommend disabling self-service password resets for privileged accounts.

How to disable Self-Service Password Reset for administrators
How to disable Self-Service Password Reset for administrators

Default SSPR configuration for admin accounts in Microsoft Entra ID

By default, administrators can perform self-service password reset even if self-service password reset is disabled for normal users. This applies to the following roles:

  • Application Administrator
  • Authentication Administrator
  • Billing Administrator
  • Compliance Administrator
  • Cloud Device Administrator
  • Directory Synchronization Accounts
  • Directory Writers
  • Dynamics 365 Administrator
  • Exchange Administrator
  • Global Administrator
  • Helpdesk Administrator
  • Intune Administrator
  • Microsoft Entra Joined Device Local Administrator
  • Partner Tier1 Support
  • Partner Tier2 Support
  • Password Administrator
  • Power Platform Administrator
  • Privileged Authentication Administrator
  • Privileged Role Administrator
  • Security Administrator
  • Service Support Administrator
  • SharePoint Administrator
  • Skype for Business Administrator
  • Teams Administrator
  • Teams Communications Administrator
  • Teams Devices Administrator
  • User Administrator

For the aforementioned administrators, a two-gate password reset policy is active, which allows them to perform a secure password reset even if self-service password reset is disabled for normal users. By secure password reset for administrators, we mean that the administrator must always pass authentication through two different MFA methods. Again, even if the SSPR policy would require only one authentication method to be used for normal users.

The two-gate password reset policy for administrators cannot be changed and prohibits security questions to be used as a valid SSPR authentication option.

The SSPR administrator policy doesn’t depend upon the Authentications method policy either. For example, if you disable third party software tokens in the Authentication methods policy, administrator accounts can still register third party software token applications and use them, but only for SSPR.

How to disable SSPR for Microsoft Entra ID administrators

You can disable the use of SSPR for administrator accounts using the Update-MgPolicyAuthorizationPolicy PowerShell cmdlet. The -AllowedToUseSspr:$true|$false parameter enables/disables SSPR for administrators. Policy changes to enable or disable SSPR for administrator accounts can take up to 60 minutes to take effect.

First we need to install the Microsoft Graph PowerShell module and import it.

Install-Module -Name Microsoft.Graph.Identity.SignIns
Import-Module Microsoft.Graph.Identity.SignIns

Now we can connect to Microsoft Graph with the required scope.

Connect-MgGraph -Scopes Policy.ReadWrite.Authorization

Once we are connected to Microsoft Graph, we can verify the current settings.

Get-MgPolicyAuthorizationPolicy | select AllowedToUseSspr

If you haven’t changed your settings in the past, you’ll see that administrators are allowed to perform self-service password reset.

AllowedToUseSspr
----------------
            True

You can disable it by running the following command.

Update-MgPolicyAuthorizationPolicy -AllowedToUseSspr:$false

If we now check the settings again, we should see that SSPR is disabled.

AllowedToUseSspr
----------------
           False