Known Password Reset (KPR) and Self-Service Password Reset (SSPR) are two services that enable your users to reset their passwords without having to contact your IT Helpdesk. These services also flow the password to your Active Directory (AD) to keep the password the same. Password Policies enables you to set the rules for these services. These are all handled from the Admin Portal (

Known Password Reset

KPR enables a user to reset their password providing they know their current one. Go to the login GUI and click Change Password. Choosing I Know My Password will allow them to reset their password.

Self-Service Password Reset

SSPR enables a user to reset their password even if they don't know their current one. After logging in the user is presented with a series of questions that they have to answer before they can proceed. If they answer successfully then they can enter a new password.

The Login GUI

The login GUI only shows up when the user is not in a single sign on (SSO) situation. Usually this means they will only see it off-premises. However, it is also possible using Login Control in features, to turn off SSO for a single browser that you have installed. This will enable the user to access the GUI even when on-premises.

Password Policies

The Password Policies section of Features allows you to set up rules for when the users reset their passwords using the above methods. By selecting 'Custom' you can specify length, character requirements, and other requirements. You can also make the default lock-out policy to be stricter - this temporarily disables the user's account if too many incorrect passwords are entered.


Password Reset is easy to setup. Go to their sections in Features and tick the box to show the options. Once you have set the options, go into Classifications and choose which of your classifications this is active for.

KPR has no options: it is either active or not.

Password Policies presents you with the default options which you can customise.

SSPR however takes a little more setup: you must choose at least five of the questions from the list. The users will be asked to choose three of the questions that you choose when they login the first time.

The last step that is required for setting these up is to go into Applications > Active Directory. In there, click on Edit at the bottom, then tick Destination for Passwords. If you do not do this, then the password change will not flow to your AD and the users will have to use their old password to access your machines, and the next sync will reset their 365 password back.

For further details please also see

Upcoming Features

More features are coming for these services.

  • Currently users can only reset passwords pre-authentication (using the login GUI). Users will soon be able to reset them post-authentication without needing to access the login GUI. This will mean you no longer need a non-SSO browser.