Customize the Azure AD functionality for self-service password reset
IT professionals who want to deploy self-service password reset (SSPR) in Azure Active directory (Azure AD) can customize the experience to match their users' needs.
Customize the "Contact your administrator" link
Even if SSPR is not enabled, users still have a "Contact your administrator" link on the password reset portal. If a user selects this link, it either:
- Emails your administrators and asks them for assistance in changing the user's password.
- Sends your users to a URL that you specify for assistance.
We recommend that you set this contact to something like an email address or website that your users already use for support questions.
The contact email is sent to the following recipients in the following order:
- If the password administrator role is assigned, administrators with this role are notified.
- If no password administrators are assigned, then administrators with the user administrator role are notified.
- If neither of the previous roles are assigned, then the global administrators are notified.
In all cases, a maximum of 100 recipients are notified.
To find out more about the different administrator roles and how to assign them, see Assigning administrator roles in Azure Active Directory.
Disable "Contact your administrator" emails
If your organization does not want to notify administrators about password reset requests, you can enable the following configuration:
Enable self-service password reset for all end users. This option is under Password Reset > Properties.
If you don't want users to reset their own passwords, you can scope access to an empty group. We don't recommend this option.
- Customize the helpdesk link to provide a web URL or mailto: address that users can use to get assistance. This option is under Password Reset > Customization > Custom helpdesk email or URL.
Customize the AD FS sign-in page for SSPR
Active Directory Federation Services (AD FS) administrators can add a link to their sign-in page by using the guidance found in the Add sign-in page description article.
To add a link to the AD FS sign-in page, use the following command on your AD FS server. Users can use this page to enter the SSPR workflow.
Set-ADFSGlobalWebContent -SigninPageDescriptionText "<p><A href=’https://passwordreset.microsoftonline.com’>Can’t access your account?</A></p>"
Customize the sign-in page and access panel look and feel
You can customize the sign-in page. You can add a logo that appears along with the image that fits your company branding.
The graphics you choose are shown in the following circumstances:
- After a user enters their username
- If the user accesses the customized URL:
- By passing the whr parameter to the password reset page, like "https://login.microsoftonline.com/?whr=contoso.com"
- By passing the username parameter to the password reset page, like "https://firstname.lastname@example.org"
Use the following settings to change the visual characteristics of the sign-in page. Go to Azure Active Directory > Company branding > Edit company branding:
- The sign-in page image should be a .png or .jpg file, 1420 x 1200 pixels, and no larger than 500 KB. For the best results, we recommend that you keep it around 200 KB.
- The sign-in page background color is used on high-latency connections and must be in RGB hexadecimal format.
- The banner image should be a .png or .jpg file, 60 x 280 pixels, and be no larger than 10 KB.
- The square logo (normal and dark theme) should be a .png or .jpg file, 240 x 240 (resizable) pixels, and no larger than 10 KB.
Sign-in text options
Use the following settings to add text to the sign-in page that's relevant to your organization. Go to Azure Active Directory > Company branding > Edit company branding:
- User name hint: Replaces the example text of email@example.com with something more appropriate for your users. We recommended that you leave the default hint when you support internal and external users.
Anyone can see your sign-in page, so don't provide any sensitive information here.
The "Keep me signed in disabled" setting
With the Keep me signed in disabled option, users can remain signed in when they close and reopen their browser window. This option does not impact the session lifetime. Go to Azure Active Directory > Company branding > Edit company branding.
Some features of SharePoint Online and Office 2010 have a dependency on users' ability to select this check box. If you hide this option, users can get additional and unexpected sign-in prompts.
You can change the directory name attribute under Azure Active Directory > Properties. You can show a friendly organization name that is seen in the portal and in the automated communications. This option is the most visible in automated emails in the forms that follow:
- The friendly name in the email, for example “Microsoft on behalf of CONTOSO demo”
- The subject line in the email, for example “CONTOSO demo account email verification code”
- How do I complete a successful rollout of SSPR?
- Reset or change your password
- Register for self-service password reset
- Do you have a licensing question?
- What data is used by SSPR and what data should you populate for your users?
- What authentication methods are available to users?
- What are the policy options with SSPR?
- What is password writeback and why do I care about it?
- How do I report on activity in SSPR?
- What are all of the options in SSPR and what do they mean?
- I think something is broken. How do I troubleshoot SSPR?
- I have a question that was not covered somewhere else