Administration of Self Service Password Reset
I suggest adding two controls in Azure AD user configuration relating to self-service password reset.
1) Disable SSPR.
Turning this on would temporarily prevent the user from using SSPR without changing their configured account verification information. It would block both password reset attempts and attempts to change the account verification information. This feature would be useful when we need to lock out a user by changing their password and still be able to access their account. We're a school and this situation comes up from time to time in the course of disciplinary activities.
2) Clear account verification information.
This would erase the account verification information but not prevent the user from subsequently setting it again. This would be useful for role-based accounts where a different user comes on board but we don't want to delete and recreate the account.
Thanks for your consideration. Jeff.
Thank you for your feedback!
For the first suggestion, how would this functionality differ from simply blocking a user? Do you want to be able to change their password while they’re blocked?
For the second suggestion, we are working on an API and UX that gives an admin the ability to clear authentication methods (i.e. phone, email, etc.) for a user so that they are re-prompted to register when they next sign in.
Sadie Henry (sahenry)
Raghuram P commented
It would be great to have an option to clear existing SSPR registration data via PowerShell.
Jeffry A. Spain commented
With regard to #1 above, we want to be able to change the password on a user account and leave the account unblocked so that we can access it using the new password. We don't want the user to be able to regain access to their account using Self Service Password Reset until we have completed our administrative disciplinary review. Thus we want to temporarily disable Self Service Password Reset without clearing the configured account verification information. This is different from just blocking the user, because if we blocked the user, then we could not access the account either. Please let me know if you want further clarification. Jeff.