With so many IT functions moving to the cloud, one of the areas IT admins are now looking into is self-service password reset (SSPR) and wondering what Office 365 self-service password reset is, how they can leverage it and what the potential benefits and drawbacks are for their business. In this article, we look at what it is, what benefits it offers and whether an alternative focused password reset self-service solutions are worth consideration.
on average an employee loses $420 per year grappling with passwords
Office 365 SSPR
One of the most time-consuming jobs for service desk is managing password reset tickets around 30% of all service desk tickets are password related, Widmeyer survey reported on average an employee loses $420 per year grappling with passwords, the losses in productivity alone can be staggering. it is the number one support issue to plague the service desk and offers very little value compared to the time taken. Self-service password reset for active directory provides an automated self-help service whereby service desk can offload password reset and account unlock tickets against Active Directory to an SSPR solution, resulting in fewer tickets for service desk and less downtime for employees.
Microsoft introduced self-service password reset into Azure AD back in 2015 enabling users to self-password reset for Office 365 cloud apps and with Azure AD Connect, writeback any password changes to an on-premise AD. Office 365 self-service password reset is part of the Azure AD basic edition but integrating password writeback with an on-premise AD, which if you’re serious about SSPR you will need to, Azure AD P1 licensing is required.
Azure Active Directory is not designed to be the cloud version of Active Directory. It is not a domain controller
Writeback functionality is needed because Azure AD is not a replacement for Active Directory, quoting Microsoft, “Azure Active Directory is not designed to be the cloud version of Active Directory. It is not a domain controller or a directory in the cloud that will provide the exact same capabilities with AD,” and so writing back password changes to your on-premise Active Directory is an essential part of the process.
Use Case for Office 365 SSPR
The use case for a CTO to go ahead with Azure AD P1 for SSPR is a business moving infrastructure into Microsoft cloud so as part of this Office 365 self-service password reset can conveniently roll this in. The other is retiring existing self-service password reset software and replacing it with Office 365 self-service password reset for convenience. However, Azure AD SSPR is not an exact like-for-like replacement nor cost-effective and lacks several benefits more focused solutions like LogonBox offer. So anyone thinking of retiring their dedicated current self-service password reset solution or making Microsoft Azure SSPR their go-to solution should read the breakdown below before making a final decision.
Product Direction
It is not difficult to understand Microsoft’s position with Azure; it wants to move as many customers as possible over to its cloud infrastructure. It is more lucrative financially and encourages greater brand tie-in – once all your infrastructure and services are in Azure, you are inclined to continue investing in other Microsoft products.
A dedicated SSPR solution like LogonBox focuses on a single function; it is laser-focused on delivering a self-service password reset experience that excels and is supported by closely connected features that all have the sole goal of reducing service desk/ help desk load and increasing user productivity.
Dedicated self-service password reset solutions are brand agnostic whereas Office 365 password self-service is strictly Microsoft brands only.
A stark example of this is the range of user directories supported, Azure AD only reduces password reset tickets for Active Directory and Azure AD accounts. Dedicated SSPR solutions like LoognBox manage passwords for Active Directory, Azure AD, Google, MySQL, Linux and AS400; the amount of tickets eliminated is significantly higher. Dedicated self-service password reset solutions are brand agnostic whereas Office 365 password self-service is strictly Microsoft brands only.
Pricing Comparison of Azure AD SSPR vs Dedicated SSPR
Self-service password reset for Office 365 comes in a few editions, free, basic, premium 1 and premium 2, self-service password reset is available in basic, but only the premium 1 and above provide writeback facilities. Azure P1 is priced at 6 USD per year per month. An organisation with 1000 employees can expect to pay in the region of 6000 USD per month, annually 72,000 USD. Volume discounting considered with a 3-year tie-in vary the final cost anywhere from 61,000 USD – 40,000 USD a year.
LogonBox is approximately 0.125 USD per user per month. For 1000 users LogonBox self-service password reset is 2245 USD for a year. LogonBox pricing is around 97% cheaper than Azure AD SSPR!
A dedicated solution like LogonBox provides self-service password reset and single sign-on just like Azure AD P1 is approximately 0.125 USD per user per month. For 1000 users LogonBox self-service password reset is 2245 USD for a year. LogonBox pricing is around 97% cheaper than Azure AD SSPR! This chasm in pricing only gets more extensive as the user count goes up; LogonBox pricing per user goes down as the total user volume goes up!
Feature Comparison of Azure AD SSPR vs Dedicated SSPR
Azure AD P1 offers substantial identity-related features to facilitate higher productivity, single sign-on using SAML login and lesser but more accessible form-based login. There is support for multi-factor authentication (MFA) for Office 365 apps but, MFA support is limited to SMS one-time password to a users cell phone and hardware MFA against the Microsoft mobile app. More widely used products such as Duo authenticator and Yubikey are ignored.
In comparison, LogonBox also supports single sign-on catering for SAML and form-based login but also JWT. There is also a greater array of authentication from basic QA, Passphrase to MFA integration like Yubikey, Google Authenticator and Duo auth. As mentioned earlier being brand agnostic LogonBox and similar products manage passwords for more than just Active Directory and Azure AD. With password management and single sign-on portal and support of multi-factor authentication, LogonBox type products can secure webapps behind MFA that previously did not support MFA secure login.
Active Directory password reset self-service through Azure P1 offers additional features useful with Microsoft services such as SharePoint integration in contrast, dedicated SSPR solutions provide other functionality that might be more appealing. Take for example passportal in addition to SSPR it offers documentation management, LogonBox offers single sign-on, password and account management. These dedicated solutions can offer organisations more features around a particular category such as identity management in a single solution which Azure AD premium can not.
Office 365 self-service experience but at a considerable cost, the price-per-user model is grossly inflated
Shifting to Cost-effective Alternatives
For Microsoft Azure AD Password self-service it offers the core Office 365 self-service experience but at a considerable cost, not only is the price-per-user model inflated, with discounts the price still pales in comparison to dedicated SSPR solutions like LogonBox. It lacks a feature-rich approach and has only real interest in integrating with Microsoft products.
More focused solutions like LogonBox cater to the masses supporting multiple user-directories not just SSPR for Active Directory; there is also support for wider MFA methods and overall are more feature rich, covering everything from self-service password reset, single sign-on to user account management and self-enrollment and more.
Ready to try a solution like LogonBox and see the benefits firsthand? You can get started with LogonBox today at no cost. All the features are available in the trial. If you’d like password-reset only, we also provide a free edition which does just that and is available once your evaluation has expired.