Licensing requirements for Azure Active Directory self-service password reset
To reduce help desk calls and loss of productivity when a user can't sign in to their device or an application, user accounts in Azure Active Directory (Azure AD) can be enabled for self-service password reset (SSPR). Features that make up SSPR include password change, reset, unlock, and writeback to an on-premises directory. Basic SSPR features are available in Microsoft 365 Business Standard or higher and all Azure AD Premium SKUs at no cost.
This article details the different ways that self-service password reset can be licensed and used. For specific details about pricing and billing, see the Azure AD pricing page.
Compare editions and features
SSPR is licensed per user. To maintain compliance, organizations are required to assign the appropriate license to their users.
The following table outlines the different SSPR scenarios for password change, reset, or on-premises writeback, and which SKUs provide the feature.
|Feature||Azure AD Free||Microsoft 365 Business Standard||Microsoft 365 Business Premium||Azure AD Premium P1 or P2|
|Cloud-only user password change
When a user in Azure AD knows their password and wants to change it to something new.
|Cloud-only user password reset
When a user in Azure AD has forgotten their password and needs to reset it.
|Hybrid user password change or reset with on-prem writeback
When a user in Azure AD that's synchronized from an on-premises directory using Azure AD Connect wants to change or reset their password and also write the new password back to on-prem.
Standalone Microsoft 365 Basic and Standard licensing plans don't support SSPR with on-premises writeback. The on-premises writeback feature requires Azure AD Premium P1, Premium P2, or Microsoft 365 Business Premium.
For additional licensing information, including costs, see the following pages:
- Azure Active Directory pricing
- Azure Active Directory features and capabilities
- Enterprise Mobility + Security
- Microsoft 365 Enterprise
- Microsoft 365 Business
Enable group or user-based licensing
Azure AD supports group-based licensing. Administrators can assign licenses in bulk to a group of users, rather than assigning them one at a time. For more information, see Assign, verify, and resolve problems with licenses.
Some Microsoft services aren't available in all locations. Before a license can be assigned to a user, the administrator must specify the Usage location property on the user. Assignment of licenses can be done under the User > Profile > Settings section in the Azure portal. When you use group license assignment, any users without a usage location specified inherit the location of the directory.
To get started with SSPR, complete the following tutorial: