Licensing requirements for Azure AD self-service password reset

In order for Azure Active Directory (Azure AD) password reset to function, you must have at least one license assigned in your organization. We don't enforce per-user licensing on the password reset experience. To maintain compliance with your Microsoft licensing agreement, you need to assign licenses to any users that use premium features.

  • Cloud-only users: Office 365 any paid SKU, or Azure AD Basic
  • Cloud or on-premises users: Azure AD Premium P1 or P2, Enterprise Mobility + Security (EMS), or Secure Productive Enterprise (SPE)

Licenses required for password writeback

To use password writeback, you must have one of the following licenses assigned on your tenant:

  • Azure AD Premium P1
  • Azure AD Premium P2
  • Enterprise Mobility + Security E3
  • Enterprise Mobility + Security E5
  • Microsoft 365 (Plan E3)
  • Microsoft 365 (Plan E5)

Warning

Standalone Office 365 licensing plans don't support password writeback and require that you have one of the preceding plans for this functionality to work.

Additional licensing information, including costs, can be found on the following pages:

Enable group or user-based licensing

Azure AD now supports group-based licensing. Administrators can assign licenses in bulk to a group of users, rather than assigning them one at a time. For more information, see Assign, verify, and resolve problems with licenses.

Some Microsoft services are not available in all locations. Before a license can be assigned to a user, the administrator must specify the Usage location property on the user. Assignment of licenses can be done under the User > Profile > Settings section in the Azure portal. When you use group license assignment, any users without a usage location specified inherit the location of the directory.

Next steps