Password Protection & Self-Service Reset
Passwords aren't going away tomorrow. Learn how Entra ID protects them with banned password lists, smart lockout, self-service reset, and password writeback.
Why password protection still matters
Even if the world is moving to passwordless, most people still have a password today. We need to make those passwords as strong as possible.
Think of it like seatbelts and airbags. Self-driving cars are the future, but right now most people still drive manually — so we still need seatbelts. Password protection is the seatbelt for the password era.
Entra ID does three smart things: it bans common weak passwords (like “Password123”), it locks out attackers who try too many guesses, and it lets users reset their own forgotten passwords without calling the helpdesk.
Self-service password reset (SSPR)
The problem: Raj’s helpdesk at Lakewood University gets hundreds of “I forgot my password” calls every month. Each one takes 5-10 minutes. That’s hours of helpdesk time spent on something users could do themselves.
The solution: Self-service password reset (SSPR) lets users reset their own password through a secure web portal — without calling IT.
How SSPR works
- The user goes to the password reset portal (or clicks “Forgot my password” on the sign-in page)
- They verify their identity using one or more authentication methods (Authenticator app, phone, email, security questions)
- They choose a new password
- The password is updated — and if password writeback is enabled, it flows back to on-prem AD too
Who can use SSPR?
| Entra ID Edition | SSPR Availability |
|---|---|
| Free | Cloud-only admin accounts only |
| P1 or P2 | All users, including hybrid (synced) users |
| Microsoft 365 Business Premium | All users |
Scenario: Raj enables SSPR at Lakewood
Raj enables SSPR for all staff and students. He configures two authentication methods required for reset: Authenticator app and phone number.
Monday morning, Professor Chen forgets his password (again). Instead of calling the helpdesk and waiting on hold, he visits the reset portal, verifies with his Authenticator app, and sets a new password. Total time: 2 minutes.
Raj checks the stats after one month: helpdesk password reset tickets dropped by 70 percent. He finally has time to work on actual projects.
Password protection
Even with SSPR, users will pick weak passwords if you let them. Entra ID password protection prevents this with two layers:
Global banned password list
Microsoft maintains a global banned password list that’s updated constantly. It contains thousands of commonly used weak passwords and their variations. This list is applied automatically to every Entra ID tenant — you don’t need to configure anything.
The clever part: it doesn’t just block exact matches. It uses a normalisation algorithm that catches variations. If “password” is banned, then “P@ssw0rd”, “passw0rd!”, and “Pa$$word123” are all blocked too.
Custom banned password list
On top of the global list, you can add your own organisation-specific terms. For example, Lakewood University might ban:
- “Lakewood”
- “Wolverines” (the university mascot)
- “LU2025”
- Building names, campus terms, and other easily guessable words
Key exam concept: The global banned password list works automatically. The custom banned password list requires Entra ID P1 or P2. Both use fuzzy matching — users can’t bypass them with simple character substitutions.
| Feature | Global Banned Password List | Custom Banned Password List |
|---|---|---|
| Managed by | Microsoft (automatically updated) | Your organisation's admin |
| What it blocks | Common weak passwords and variations | Organisation-specific terms and their variations |
| Licence required | Free for cloud-only users (synced users require P1/P2) | Entra ID P1 or P2 |
| Configuration needed | None — enabled by default | Admin adds terms in Entra ID portal |
| Fuzzy matching | Yes — catches P@ssw0rd variations | Yes — same normalisation algorithm |
Smart lockout
Smart lockout protects accounts from brute-force attacks — where an attacker tries thousands of password combinations.
How it works
After a certain number of failed sign-in attempts, the account is temporarily locked. But here’s the smart part:
- It recognises familiar locations — if a user fails to sign in from their usual device and location, the lockout threshold is higher (they’re probably just mistyping)
- It is stricter with unfamiliar locations — if someone fails from a new country, lockout happens faster (probably an attacker)
- It doesn’t lock out legitimate users because of attackers — the system distinguishes between the real user’s sign-in patterns and attack traffic
Key exam concept: Smart lockout uses intelligence to distinguish between legitimate users making mistakes and attackers trying to brute-force accounts. It doesn’t just count failures — it considers the context.
Scenario: smart lockout protects Sam's account
An attacker in another country gets a list of email addresses from a data breach and starts trying common passwords against BrightStar accounts.
After several failed attempts from an unfamiliar IP address, smart lockout blocks further attempts from that location. Meanwhile, Sam himself can still sign in normally from his usual store location — smart lockout doesn’t block HIM just because an attacker was trying elsewhere.
Tina’s account was targeted too, but she never notices — smart lockout handled it silently in the background.
Password writeback
Password writeback solves a specific hybrid identity problem: when a user resets their password in the cloud (via SSPR), how does on-prem Active Directory know about it?
The problem without writeback
- User resets password in the cloud via SSPR
- Cloud password updates successfully
- On-prem AD still has the OLD password
- User can’t sign into on-prem resources (file servers, printers, VPN)
- User calls helpdesk anyway — defeating the purpose of SSPR
How writeback fixes it
With password writeback enabled (configured through Entra Connect), cloud password changes are immediately written back to on-premises Active Directory. The user’s password is the same everywhere.
Requirement: Password writeback needs Entra ID P1 or P2 and Microsoft Entra Connect.
Exam tip: writeback is cloud-to-on-prem
Don’t confuse the direction. Entra Connect syncs identities from on-prem to cloud. Password writeback sends password changes from cloud back to on-prem. They work in opposite directions.
If an exam question asks “How do cloud password changes reach on-prem AD?” — the answer is password writeback via Entra Connect.
Combined registration
Combined registration is a single registration experience where users set up both MFA methods and SSPR methods at the same time.
Without combined registration: Users go through one wizard to set up MFA, and a separate wizard to set up SSPR recovery methods. It’s confusing and often means they only complete one of them.
With combined registration: One unified page at https://aka.ms/mysecurityinfo where users register their phone, Authenticator app, and other methods — all at once. These methods work for both MFA prompts and password resets.
Key exam concept: Combined registration means one registration process for both MFA and SSPR. It reduces user confusion and is now the default experience in Entra ID.
Putting it all together
Here’s how all these features work as a system:
| Feature | What It Does | Licence Required |
|---|---|---|
| SSPR | Users reset their own passwords | Free (admins only) or P1/P2 (all users) |
| Global banned passwords | Blocks known weak passwords automatically | Free (cloud-only users; P1/P2 for synced users) |
| Custom banned passwords | Blocks organisation-specific weak terms | P1 or P2 |
| Smart lockout | Blocks brute-force attacks intelligently | Free |
| Password writeback | Cloud resets flow back to on-prem AD | P1 or P2 plus Entra Connect |
| Combined registration | Single setup for MFA and SSPR | Free |
🎬 Video walkthrough
🎬 Video coming soon
Password Protection and SSPR — SC-900 Domain 2
Password Protection and SSPR — SC-900 Domain 2
~8 minFlashcards
Knowledge Check
Professor Chen resets his password in the cloud using SSPR. But when he tries to access the campus file server (on-prem), his old password still works and the new one doesn't. What is most likely missing?
Sam wants to prevent BrightStar employees from using 'BrightStar' or 'Retail2025' as passwords. Which feature does Sam need?
Lakewood University wants users to register their Authenticator app, phone number, and backup email in a single process for both MFA and password reset. What feature provides this?