Licensing requirements for Azure Active Directory self-service password reset

To reduce help desk calls and loss of productivity when a user can't sign in to their device or an application, user accounts in Azure Active Directory (Azure AD) can be enabled for self-service password reset (SSPR). Features that make up SSPR include password change, reset, unlock, and writeback to an on-premises directory. Basic SSPR features are available in Microsoft 365 Business Standard or higher and all Azure AD Premium SKUs at no cost.

This article details the different ways that self-service password reset can be licensed and used. For specific details about pricing and billing, see the Azure AD pricing page.

Compare editions and features

The following table outlines the different SSPR scenarios for password change, reset, or on-premises writeback, and which SKUs provide the feature.

Feature Azure AD Free Microsoft 365 Business Standard Microsoft 365 Business Premium Azure AD Premium P1 or P2
Cloud-only user password change
When a user in Azure AD knows their password and wants to change it to something new.
Cloud-only user password reset
When a user in Azure AD has forgotten their password and needs to reset it.
Hybrid user password change or reset with on-prem writeback
When a user in Azure AD that's synchronized from an on-premises directory using Azure AD Connect wants to change or reset their password and also write the new password back to on-prem.


Standalone Microsoft 365 Basic and Standard licensing plans don't support SSPR with on-premises writeback. The on-premises writeback feature requires Azure AD Premium P1, Premium P2, or Microsoft 365 Business Premium.

For additional licensing information, including costs, see the following pages:

Next steps

To get started with SSPR, complete the following tutorial: