Share via

Help Desk to initiate a password reset for an user instead of self service?

Chaumette Garcia 0 Reputation points
2025-12-03T15:56:48.5933333+00:00

Our organization wants Tier 1 help desk staff to play an active role in the password reset process. Instead of users initiating self-service password resets directly, we would like system administrators or designated help desk personnel to trigger the password reset workflow on the user’s behalf.

Is there a supported method in Azure AD (Entra ID) to disable or limit self-service password resets for end users, while allowing administrators to initiate password reset requests via email or another controlled mechanism? If so, what is the recommended configuration approach?

Microsoft Security | Microsoft Entra | Other
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-12-03T15:56:59.7+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    To disable or limit self-service password resets (SSPR) for end users while allowing administrators to initiate password reset requests, you can configure the SSPR settings in Microsoft Entra ID. Here are the steps you can follow:

    1. Disable Self-Service Password Reset: You can disable SSPR for all users or specific groups by adjusting the settings in the Microsoft Entra admin center. This will prevent users from initiating password resets on their own.
    2. Enable Help Desk Password Reset: You can set up a process where designated help desk personnel can reset passwords for users. This can be done through the admin portal where administrators can directly reset user passwords without needing the user to initiate the process.
    3. Use Email or Controlled Mechanism: If you want to allow help desk staff to initiate password resets via email or another controlled mechanism, you may need to implement a custom workflow or use existing IT service management tools that integrate with Microsoft Entra ID to manage these requests securely.
    4. Monitor and Audit: Ensure that you have monitoring and auditing in place to track password reset requests initiated by help desk staff to maintain security and compliance.

    For detailed guidance on how to configure these settings, refer to the Microsoft Entra documentation on self-service password reset and account management.

    References:

    0 comments
  2. Andy David - MVP 159.7K Reputation points MVP Volunteer Moderator
    2025-12-03T16:12:08.89+00:00

    I personally would not recommend this. Its easy to socially engineer someone on the help desk to reset a password.

    Instead allow SSPR, require 2 MFA methods and use TAP to allow users to bootstrap themselves

    https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-temporary-access-pass

    Down the road, look to https://blog.admindroid.com/self-service-account-recovery-with-identity-verification-in-entra-id/

    0 comments
  3. Vasil Michev 123.5K Reputation points MVP Volunteer Moderator
    2025-12-03T16:16:03.98+00:00

    Yes, you should be able to toggle the forceChangePasswordNextSignIn flag (or even better, the forceChangePasswordNextSignInWithMfa one) on the user, which should then result in them being prompted to change their password on login. As for preventing self-service password resets, this is controlled via the Password reset page/settings in the Entra portal.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.