Customize the Azure AD functionality for self-service password reset

IT professionals who want to deploy self-service password reset (SSPR) in Azure Active directory (Azure AD) can customize the experience to match their users' needs.

Even if SSPR is not enabled, users still have a "Contact your administrator" link on the password reset portal. If a user selects this link, it either:

  • Emails your administrators and asks them for assistance in changing the user's password.
  • Sends your users to a URL that you specify for assistance.

We recommend that you set this contact to something like an email address or website that your users already use for support questions.

Contact

The contact email is sent to the following recipients in the following order:

  1. If the password administrator role is assigned, administrators with this role are notified.
  2. If no password administrators are assigned, then administrators with the user administrator role are notified.
  3. If neither of the previous roles are assigned, then the global administrators are notified.

In all cases, a maximum of 100 recipients are notified.

To find out more about the different administrator roles and how to assign them, see Assigning administrator roles in Azure Active Directory.

Disable "Contact your administrator" emails

If your organization does not want to notify administrators about password reset requests, you can enable the following configuration:

  • Enable self-service password reset for all end users. This option is under Password Reset > Properties.

    If you don't want users to reset their own passwords, you can scope access to an empty group. We don't recommend this option.

  • Customize the helpdesk link to provide a web URL or mailto: address that users can use to get assistance. This option is under Password Reset > Customization > Custom helpdesk email or URL.

Customize the AD FS sign-in page for SSPR

Active Directory Federation Services (AD FS) administrators can add a link to their sign-in page by using the guidance found in the Add sign-in page description article.

To add a link to the AD FS sign-in page, use the following command on your AD FS server. Users can use this page to enter the SSPR workflow.

Set-ADFSGlobalWebContent -SigninPageDescriptionText "<p><A href=’https://passwordreset.microsoftonline.com’>Can’t access your account?</A></p>"

Customize the sign-in page and access panel look and feel

You can customize the sign-in page. You can add a logo that appears along with the image that fits your company branding.

The graphics you choose are shown in the following circumstances:

Graphics details

Use the following settings to change the visual characteristics of the sign-in page. Go to Azure Active Directory > Company branding > Edit company branding:

  • The sign-in page image should be a .png or .jpg file, 1420 x 1200 pixels, and no larger than 500 KB. For the best results, we recommend that you keep it around 200 KB.
  • The sign-in page background color is used on high-latency connections and must be in RGB hexadecimal format.
  • The banner image should be a .png or .jpg file, 60 x 280 pixels, and be no larger than 10 KB.
  • The square logo (normal and dark theme) should be a .png or .jpg file, 240 x 240 (resizable) pixels, and no larger than 10 KB.

Sign-in text options

Use the following settings to add text to the sign-in page that's relevant to your organization. Go to Azure Active Directory > Company branding > Edit company branding:

  • User name hint: Replaces the example text of someone@example.com with something more appropriate for your users. We recommended that you leave the default hint when you support internal and external users.
  • Sign-in page text: Can be a maximum of 256 characters in length. This text appears anywhere your users sign in online and in the Azure AD Workplace Join experience on Windows 10. Use this text for the terms of use, instructions, and tips for your users.

    Important

    Anyone can see your sign-in page, so don't provide any sensitive information here.

The "Keep me signed in disabled" setting

With the Keep me signed in disabled option, users can remain signed in when they close and reopen their browser window. This option does not impact the session lifetime. Go to Azure Active Directory > Company branding > Edit company branding.

Some features of SharePoint Online and Office 2010 have a dependency on users' ability to select this check box. If you hide this option, users can get additional and unexpected sign-in prompts.

Directory name

You can change the directory name attribute under Azure Active Directory > Properties. You can show a friendly organization name that is seen in the portal and in the automated communications. This option is the most visible in automated emails in the forms that follow:

  • The friendly name in the email, for example “Microsoft on behalf of CONTOSO demo”
  • The subject line in the email, for example “CONTOSO demo account email verification code”

Next steps