As part of the Multi-factor Authentication (MFA) rollout, The Miller Group is also enabling Self-Service Password Reset (SSPR), which will allow users to reset the password of their Microsoft 365 accounts. This document is meant to guide users through the process of registering MFA methods for their accounts and performing the Self-Service Password Reset process.

Enrollment

The Miller Group will enable SSPR for all user accounts, requiring at least two MFA methods that are compatible for SSPR, of the following four types:

Microsoft Authenticator push notification
Mobile app code (Microsoft Authenticator or other authenticator app)
Email (personal email account)
Mobile phone (text code to corporate/personal mobile phone)

Email and mobile phone are weaker than other methods, hence the requirement for at least two methods. Yubikey and Windows Hello for Business, while also MFA, are not compatible for SSPR.

Registration

Once enabled, Microsoft will verify that users meet the two SSPR-compatible requirements during the next Microsoft 365 login, which could be directly logging into https://portal.office.com or when opening any Office product like Outlook, Word, Excel, or Teams (Microsoft performs a periodic license check to verify that the user account is still licensed and checks MFA requirement flags too).

If a user’s account has 0 or only 1 SSPR-compatible MFA method, the user will prompt for registering additional methods with the following prompt:

Click next and follow the instructions below to register MFA methods. If one is already registered, then the prompt should skip asking for another method of that type.

Microsoft Authenticator

** To skip setting up Microsoft Authenticator, select “I want to set up a different method” at the bottom of the window.

Microsoft 365 will prompt to set up Microsoft Authenticator by default. Microsoft Authenticator is an app that you can install from the relevant app store on your iPhone, Windows phone, or Android phone, though you can choose to use a different third-party authenticator app (Google Authenticator, Duo, Authy, etc.) if you already have a preferred one installed for OATH TOTP.

To set up Microsoft Authenticator, select Next and open Microsoft Authenticator on your phone (download from the store app if you haven’t yet). Click the + symbol at the top and, following the directions on the computer, select “Work or school account”, then “Scan a QR code” to use your phone to scan the QR code on the computer or “Sign in” to log into your 365 account on the phone. Either scanning the code or signing in will complete the setup. Proceeding on the computer, Microsoft will then verify with a simple push notification – select Approve on the prompt to your phone to verify.

Microsoft Authenticator has two modes for authentication – Push Challenge and OATH TOTP. A Push Challenge notification will display a short code on the screen and will prompt for you to enter the code in the phone app – entering the correct code will approve the authentication request. OATH TOTP is the more common option that displays a 6-digit code for each account saved in the app – entering the current code in the prompt will approve the authentication request.

Third-Party Authenticator

If you choose to use a third-party authenticator instead of Microsoft Authenticator, select “I want to use
a different authenticator app” on the default authenticator app page.

The look of each third-party authenticator app is a little different, but the process to add an account is generally the same. Click Next and 365 will provide a QR code – using the authenticator app on your phone, select to add a new account (usually Add Account or + symbol), and the app will request to scan the QR code. (don’t use the QR code in this picture – it’s just an example)

If scanning the QR code doesn’t work, click the “Can’t scan image” box and you’ll see the raw code to enter into the app (will need to select similar on the phone app for it to skip the QR code and ask for the raw code directly).

Once the QR code or raw code is entered into the app, the authenticator app on the phone will provide a 6-digit TOTP code – enter the code and select Next on the computer to complete the third-party authenticator setup.

Phone

The Phone option will ask for a phone number and request either a text or call to confirm ownership of the phone number entered.

Selecting text will deliver a text with a 6-digit code to the phone – just enter the code into the prompt on the computer to complete the setup. Selecting call will prompt an automated call from Microsoft to confirm (select #) or to deny (0# – if the phone number has a typo and someone else answered the call). Confirming the call will complete the setup.

Email

After setting up an authenticator app or phone, email will be available as a secondary MFA option (not available as primary, only secondary) by choosing “I want to set up a different method” at the bottom of the MFA setup prompt. Simply enter a personal email address and, similar to the text option, Microsoft will email a 6-digit code and request the code to confirm ownership of the email address. This option is also available later as an additional backup MFA option.

SSPR/MFA Setup Complete

Once both required options are set up, required MFA registration is complete. To view the MFA options set up for your account or to add additional backup options, go to https://mysignins.microsoft.com/security-info. Select “Add sign-in method” at the top to add an additional MFA method. Existing methods can be removed here too (old phone or email address).

An alternative password-less sign-in option is available here – choosing “Microsoft Authenticator –
notification” will skip the password prompt during the login prompt and directly prompt for Push –
Challenge, requesting the short code from your Microsoft Authenticator app to complete. As an
additional security feature, the Microsoft Authenticator app will also show a small geo-located map of
the source of the sign-in attempt.

Self-Service Password Reset Process

If you need to reset your password for whatever reason, you can to go https://portal.office.com where you will see a prompt similar to the below image where you will enter your email address:

After entering your email, select “Forgot my password” to start the password reset process. First, complete the Captcha login (this is meant to block hackers from automating password reset hacks).