However, with Office 365, you do not need to worry about any of above questions as Self Service Password Reset in Azure Active Directory allow users to reset their passwords without needing an administrator.
To use Self Service Password Reset in Azure Active Directory, you either have to have Azure Active Directory Basic, Azure Active Directory Premium or a paying Office 365 subscription. Azure self service password reset can be extended to your on-premises infrastructure via directory synchronization as well. However, in this post, I will talk about how you can use it with cloud only identities.
Once you enable self service password reset in your Azure Active Directory; users must register for the service by entering the number of required authentication methods as defined by you before they can reset their passwords. As an administrator, you can decide from below 4 methods, what methods will be available to users.
- Office Phone
- Mobile Phone
- Alternate Email Address
- Security Questions
Again, as I said, this comes down to compliance policies and practices. If this feature is something that you want to use, but do not want to make available to all of your users, you can restrict it by the group membership. When you define the security group that is allowed for password reset, if the user is a member of that group only, the user can reset the password.
I have put together a step-by-step document on how to set up self service password reset at TechNet Gallery. You can download it here.