Azure SSPR

Kim Marion Maquiling 0 Reputation points
2024-04-12T11:09:54.8266667+00:00

Good day may I ask why Global Administrators are not allowed to use SSPR

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,521 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marcin Policht 10,845 Reputation points MVP
    2024-04-12T11:33:54.5666667+00:00

    That's not the case. As a matter of fact, you cannot block Global Admins from using SSPR

    https://learn.microsoft.com/en-us/answers/questions/765465/disable-sspr-for-indiviaul-admin-accounts

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    0 comments
  2. Navya 4,000 Reputation points Microsoft Vendor
    2024-04-16T07:12:25.8+00:00

    Hi @Kim Marion Maquiling

    Thank you for posting this in Microsoft Q&A.

    I understand your question as to why Global Administrators are not allowed to use SSPR (Self-Service Password Reset) in Microsoft Entra Id.

    By default, Global Administrators are allowed to use SSPR (Self-Service Password Reset) in Microsoft Entra Id. To minimize the risk of privilege escalation attacks, it is advisable not to utilize Global Administrators for routine activities such as password resets. Instead, it is recommended to employ a dedicated account with appropriate permissions for carrying out administrative tasks, including password resets.

    For your reference: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy#administrator-reset-policy-differences

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya.

    If the answer is helpful, please click "Accept Answer" and kindly "upvote" it.