Using Azure AD SSPR (Self-Service Password Reset) and a background process to assign user supplied contact data, newly onboarded users may both verify and set their first credential without needing to contact the IT Service Desk.
The below script demonstrates a means to faciliate this using native Microsoft Graph API calls:
Pending re-write with msgraph-sdk-powershell.
SSPR
https://aka.ms/sspr
Parameters
Realm
https://aka.ms/sspr?whr=domain.com
Username
https://aka.ms/sspr?username=firstname.lastname@domain.com
Final Redirection
Final step redirection.
https://aka.ms/sspr?ru={HTTP Encoded Parameter}
https://login.microsoftonline.com/tenantId/oauth2/v2.0/authorize?client_id=appId&scope=https://yourApp.com/scope&redirect_uri=https://yourApp.com/
The above plaintext URL must be HTTP encoded when supplied as the parameter in the SSPR URL.
Mobile Method Screenshots
The following steps outline the user experience for the single (mobile) authentication method.
Landing Page
Phone Number Verification
Six Digit One Time Code
Password Reset
Final Step
Final Step with optional URL
