User password reset is a feature in both Azure Active directory basic and Azure active directory premium. It will enable users to unlock or reset their password when they forgot or lost it.  AD premium users has the ability to synchronize their new password to on premise active directory with password write back.

When users are enabled to use password reset, first they have to register them self to the following authentication methods. Administrator can define what method or methods to be used to authenticate user for password reset.

• Office Phone
• Mobile Phone
• Alternate Email Address
• Security Questions

Office phone is a property that can set a phone number specific to the relevant user. This has to set by the Administrator, either from the Office 365 portal or from On-premise active directory when Azure AD sync is implemented. User cannot change this property, so your organization have more control on this.

Mobile phone also you can set by the portal or on-prem Active Directory, but user can change this value when registering to the password reset. They can register their personal number to this value. Both office phone and mobile phone can be used to authenticate the user when they resetting the password. Text with a pin code or automated call asking to press the # sign will be requested by Microsoft authentication center. It’s really fast and secure way to authenticate users when they are resetting the passwords.

Note – Office phone is sync by Telephone Number attribute and Mobile Phone is synced by Mobile attribute from on premise Active Directory if AD Sync configured.

Alternate email address is email address other than the users account, this can be a private email account and user can add by them self. Security questions have to define from the Azure portal, you can select the default questions or add custom questions. Its highly recommend to add more than 3 questions.

When using Azure Active Directory Basic, password reset will work only with the azure active directory. It will not sync the changed password back to on premise active directory because password write back feature is only available with Azure AD Premium. So it’s useless to use the password reset when you are using Azure AD sync with password sync or ADFS on Azure AD Basic. Because next sync will change the password back to the one in on premise Active directory. But if you are not syncing the password which means Office 365 credentials are different than the local active directory, you can use the password reset feature with Azure Active directory basic. 

Configuring Password Reset

1. Login to the Azure porta. (http://manage.windowsazure.com) and Azure Active Directory tab
2. Select the Active Directory 
   
   
   
3. Go to the Configure tab
   
   
   
4. Click YES to User password reset policy, you can see number of options are available to configure
   
   
   
5. Select the authentications methods, you can select number of authentication methods and number of questions required. 
6. If you tick YES to require users to register when sign in, users will prompt to register for password sync while setting their authentication methods.
   
   
   
7. If you want test the registration without enabling all users to register, you can ask users to go the following URL to register to password reset. 
   http://aka.ms/ssprsetup

   
   

8. You can customize the support contact email on the self-service portal from following option. 
   
   
   
9. If the password write back feature is configured in AAD sync, it will display as configured. This is for AD premium only