Reporting options for Azure AD password management

After deployment, many organizations want to know how or if self-service password reset (SSPR) is really being used. The reporting feature that Azure Active Directory (Azure AD) provides helps you answer questions by using prebuilt reports. If you're appropriately licensed, you can also create custom queries.

Reporting

The following questions can be answered by the reports that exist in the Azure portal:

Note

You must be a global administrator, and you must opt-in for this data to be gathered on behalf of your organization. To opt in, you must visit the Reporting tab or the audit logs at least once. Until then, data is not collected for your organization.

  • How many people have registered for password reset?
  • Who has registered for password reset?
  • What data are people registering?
  • How many people reset their passwords in the last seven days?
  • What are the most common methods that users or admins use to reset their passwords?
  • What are common problems users or admins face when attempting to use password reset?
  • What admins are resetting their own passwords frequently?
  • Is there any suspicious activity going on with password reset?

Power BI content pack

If you're a Power BI user, there is a content pack for Azure AD that includes easy-to-use reporting for SSPR. For more information on how to use and deploy the content pack, see How to use the Azure Active Directory Power BI content pack. With the content pack, you can create your own dashboards and share them with others in your organization.

How to view password management reports in the Azure portal

In the Azure portal experience, we have improved the way that you can view password reset and password reset registration activity. Use the following the steps to find the password reset and password reset registration events:

  1. Browse to the Azure portal.
  2. Select All services in the left pane.
  3. Search for Azure Active Directory in the list of services and select it.
  4. Select Users and groups.
  5. Select Audit Logs from the Users and groups menu. This shows you all of the audit events that occurred against all the users in your directory. You can filter this view to see all the password-related events.
  6. To filter this view to see only the password-reset-related events, select the Filter button at the top of the pane.
  7. From the Filter menu, select the Category drop-down list, and change it to the Self-service Password Management category type.
  8. Optionally, further filter the list by choosing the specific Activity you're interested in.

How to retrieve password management events from the Azure AD Reports and Events API

The Azure AD Reports and Events API supports the retrieval of all the information included in password reset and password reset registration reports. By using this API, you can download individual password reset and password reset registration events and integrate them with the reporting technology of your choice.

How to get started with the reporting API

To access this data, you need to write a small application or script to retrieve it from our servers. For more information, see Get started with the Azure AD reporting API.

After you have a working script, you'll want to examine the password reset and registration events that you can retrieve to meet your scenarios:

Reporting API data retrieval limitations

Currently, the Azure AD Reports and Events API retrieves up to 75,000 individual events of the SsprActivityEvent and SsprRegistrationActivityEvent types. The API spans the last 30 days.

If you need to retrieve or store data beyond this window, we suggest persisting it in an external database by using the API to query the deltas that result. We recommend that you begin to retrieve this data when you start using SSPR in your organization. Persist it externally, and then continue to track the deltas from that point forward.

Description of the report columns in the Azure portal

The following list explains each of the report columns in the Azure portal in detail:

  • User: The user who attempted a password reset registration operation.
  • Role: The role of the user in the directory.
  • Date and Time: The date and time of the attempt.
  • Data Registered: The authentication data that the user provided during password reset registration.

Description of the report values in the Azure portal

The following table describes the different values that are you can set for each column in the Azure portal:

Column Permitted values and their meanings
Data registered Alternate email: The user used an alternate email or authentication email to authenticate.

Office phone: The user used an office phone to authenticate.

Mobile phone: The user used a mobile phone or authentication phone to authenticate.

Security questions: The user used security questions to authenticate.

Any combination of the previous methods, for example, alternate email + mobile phone: Occurs when a two-gate policy is specified and shows which two methods the user used to authentication their password reset request.

Self-Service Password Management activity types

The following activity types appear in the Self-Service Password Management audit event category:

Activity type: Blocked from self-service password reset

The following list explains this activity in detail:

  • Activity description: Indicates that a user tried to reset a password, use a specific gate, or validate a phone number more than five total times in 24 hours.
  • Activity actor: The user who was throttled from performing additional reset operations. The user can be an end user or an administrator.
  • Activity target: The user who was throttled from performing additional reset operations. The user can be an end user or an administrator.
  • Activity status:
    • Success: Indicates that a user was throttled from performing any additional resets, attempting any additional authentication methods, or validating any additional phone numbers for the next 24 hours.
  • Activity status failure reason: Not applicable.

Activity type: Change password (self-service)

The following list explains this activity in detail:

  • Activity description: Indicates that a user performed a voluntary, or forced (due to expiry) password change.
  • Activity actor: The user who changed their password. The user can be an end user or an administrator.
  • Activity target: The user who changed their password. The user can be an end user or an administrator.
  • Activity statuses:
    • Success: Indicates that a user successfully changed their password.
    • Failure: Indicates that a user failed to change their password. You can select the row to see the Activity status reason category to learn more about why the failure occurred.
  • Activity status failure reason:
    • FuzzyPolicyViolationInvalidPassword: The user selected a password that was automatically banned because the Microsoft Banned Password Detection capabilities found it to be too common or especially weak.

Activity type: Reset password (by admin)

The following list explains this activity in detail:

  • Activity description: Indicates that an administrator performed a password reset on behalf of a user from the Azure portal.
  • Activity actor: The administrator who performed the password reset on behalf of another end user or administrator. Must be either a global administrator, password administrator, user administrator, or helpdesk administrator.
  • Activity target: The user whose password was reset. The user can be an end user or a different administrator.
  • Activity statuses:
    • Success: Indicates that an admin successfully reset a user's password.
    • Failure: Indicates that an admin failed to change a user's password. You can select the row to see the Activity status reason category to learn more about why the failure occurred.

Activity type: Reset password (self-service)

The following list explains this activity in detail:

  • Activity description: Indicates that a user successfully reset their password from the Azure AD password reset portal.
  • Activity actor: The user who reset their password. The user can be an end user or an administrator.
  • Activity target: The user who reset their password. The user can be an end user or an administrator.
  • Activity statuses:
    • Success: Indicates that a user successfully reset their own password.
    • Failure: Indicates that a user failed to reset their own password. You can select the row to see the Activity status reason category to learn more about why the failure occurred.
  • Activity status failure reason:
    • FuzzyPolicyViolationInvalidPassword: The admin selected a password that was automatically banned because the Microsoft Banned Password Detection capabilities found it to be too common or especially weak.

Activity type: Self serve password reset flow activity progress

The following list explains this activity in detail:

  • Activity description: Indicates each specific step a user proceeds through (such as passing a specific password reset authentication gate) as part of the password reset process.
  • Activity actor: The user who performed part of the password reset flow. The user can be an end user or an administrator.
  • Activity target: The user who performed part of the password reset flow. The user can be an end user or an administrator.
  • Activity statuses:
    • Success: Indicates that a user successfully completed a specific step of the password reset flow.
    • Failure: Indicates that a specific step of the password reset flow failed. You can select the row to see the Activity status reason category to learn more about why the failure occurred.
  • Activity status reasons: See the following table for all the permissible reset activity status reasons.

Activity type: Unlock a user account (self-service)

The following list explains this activity in detail:

  • Activity description: Indicates that a user successfully unlocked their Active Directory account without resetting their password from the Azure AD password reset portal by using the Active Directory feature of account unlock without reset.
  • Activity actor: The user who unlocked their account without resetting their password. The user can be an end user or an administrator.
  • Activity target: The user who unlocked their account without resetting their password. The user can be an end user or an administrator.
  • Allowed activity statuses:
    • Success: Indicates that a user successfully unlocked their own account.
    • Failure: Indicates that a user failed to unlock their account. You can select the row to see the Activity status reason category to learn more about why the failure occurred.

Activity type: User registered for self-service password reset

The following list explains this activity in detail:

  • Activity description: Indicates that a user has registered all the required information to be able to reset their password in accordance with the currently specified tenant password reset policy.
  • Activity actor: The user who registered for password reset. The user can be an end user or an administrator.
  • Activity target: The user who registered for password reset. The user can be an end user or an administrator.
  • Allowed activity statuses:

    • Success: Indicates that a user successfully registered for password reset in accordance with the current policy.
    • Failure: Indicates that a user failed to register for password reset. You can select the row to see the Activity status reason category to learn more about why the failure occurred.

      Note

      Failure doesn't mean a user is unable to reset their own password. It means that they didn't finish the registration process. If there is unverified data on their account that's correct, such as a phone number that's not validated, even though they have not verified this phone number, they can still use it to reset their password. For more information, see What happens when a user registers?.

Next steps