Getting Started
- Overview & Company
  - About Identity and Access Management
  - About Evo Security
- Initial Setup & Requirements
  - Evo Prerequisites & Supported Operating Systems
  - Getting Started: MSP Onboarding Guide
  - Evo Authenticator Mobile App 5.1.x (iOS and Android)
  - Evo Supported Authentication Methods
Product Release Notes
- Product Release Notes
  - Product Release Notes
Directory Integrations
- Environments
  - What type of Directory do I need?
  - Directory Integration: Entra ID (formerly Azure Active Directory)
  - Set up Evo on Active Directory (LDAP)
  - Sync with Google Workspace
  - Evo Cloud: Directory-As-A-Service Setup and Installation
  - Unsupported - Microsoft Azure Virtual Desktop
Deployment & Configuration
- Advanced Configurations
  - How to protect Remote Desktop using Evo Security (RDP Support)
- Scripts & Automation
  - Deploy & Uninstall Evo Agent via PowerShell
  - Deploying the Evo Agent using ConnectWise RMM
- Branding & Customization
  - How do I update the Logos to match my company brand? (Web Page and Agent)
Product Information
- MFA
  - Getting Started: Multi-Factor Authentication
  - Setting up Microsoft Authenticator for MFA
  - Email Campaigns for Onboarding Users
- SSO/ SAML
  - What SAML integrations are available?
  - Passwordless Login
  - How do I add a rule for single sign-on (SSO) expiration
  - Identity Provider (IdP) Login
  - Connect Web Apps via SAML with Evo: Version 3
  - Azure AD/On-Prem AD Hybrid Environment - Federating Microsoft 365 Domain
  - Azure AD - Federating Microsoft 365 domain
  - WS-Federation integration for Office 365 login
  - Setting up SAML with Salesforce
  - Setting up SAML with Dropbox
  - Setting up SAML with Liongard
  - Setting up SAML with Auvik
  - Setting up SAML with Domotz
  - Integrating Evo with IT Glue
- Tech Elevation
  - Getting Started: Technician Elevation
  - Technician Elevation: Extended User Access Control session
  - Technician Elevation: Just-in-Time Accounts
  - Local Admin Accounts
  - Web Accounts
- End User Elevation
  - Getting Started: End User Elevation
  - Usage Guide: End User Elevation
  - End User Elevation: Custom Branding
- Help Desk Verification
  - Getting Started: Help Desk Verification
  - Help Desk Verification with Microsoft Authenticator and Evo Secure Login
- Agents
  - Windows Agent Deployment
  - LDAP Agent Settings Editor
  - macOS Agent Deployment
  - How do I update Evo software?
- RADIUS
  - RADIUS - Secure RADIUS Servers with TLS/radsecproxy (CVE-2024-3596)
Evo Portal
- Navigation & Managment
  - Welcome to the Evo Portal!
  - Policies Page
  - Deployment Tokens
  - Access Tokens
  - Keys (Hardware Keys) Page
  - Role-Based Permissions / List of Roles
- User & Directory Management
  - How do I manage my user licenses? (Billing and Administration)
  - Self Service Password Reset ( SSPR)
Integrations
- PSA & Password Sync Integrations
  - Evo Password Integration with ITGlue
  - Integrating Evo with Halo PSA
  - Evo Password Integration with Hudu
  - Evo Integration with Autotask
  - Evo Integration with ConnectWise
- Microsoft EAM Integration
  - Microsoft EAM integration
User Onboarding & Guidance
- MFA & Access Behavior
  - How does the "MFA Status" toggle work?
  - MFA Grace Period
  - Temporary Authentication Lockout
- Account Management
  - How do I reset my Evo password?
  - How do I see authentication activity?
  - How do I convert user types?
  - How do I manage my users / users devices?
- End User Documentation
  - How do I register my device?
  - Evo Authenticator watch app
  - Using Evo Secure Login (End User)
  - Using Evo Security (End User) - Azure AD
  - Using Evo Security (End User) - Active Directory
Troubleshooting & FAQs
- Directories Troubleshooting
  - Troubleshoot issues with the Evo LDAP Agent
  - On-prem AD Virtual Machine hosted on Azure (timeout settings)
- Secure Login Troubleshooting
  - Error: Login Denied due to Temporary Lockout
  - Error Message: the account is disabled or not found
  - How to Fix Secure Login Always Requests Offline Code
  - How to use Offline code to login to Windows machine without Internet
  - Evo Secure Login for Windows / Troubleshooting Secure Login
- Elevated Access Troubleshooting
  - Error: The user has not been granted the requested logon type at this computer
  - How to Troubleshoot Elevated Access / Domain Accounts
- Mobile App Troubleshooting
  - Troubleshooting Evo Authenticator Mobile App Issues
- End User Troubleshooting
  - User cannot login after changing email
Support & Resources
- Support & Resources
  - Support & Feature Requests
  - Common Support Issues
More

Self Service Password Reset ( SSPR)

Last updated on March 5, 2026

Overview

Self-Service Password Reset (SSPR) allows end users to securely reset their passwords without direct MSP intervention, while preserving MSP control for high-risk recovery scenarios. This release improves security, reduces help desk workload, and standardizes password management across all supported directory integrations.

Prerequisites for Self-Service Password Reset (SSPR)

There is no additional licensing required to use Self-Service Password Reset (SSPR). Access is managed through the Evo Policy system. Before SSPR can be made available to end users, ensure the following requirements are met:

Policy Configuration Enabled The Self-Service Password Reset setting must be added to either the Global Policy or a specific policy. That policy must also be assigned an appropriate scope (Environment, Tenant, or Directory). Note: SSPR is not enabled by default.

Password Sync Must Be Enabled All directories included within the scope of the SSPR policy must have Sync Passwords Back to Provider enabled. If this setting is not configured, the system will detect it and prompt the administrator to enable it before allowing the policy to be saved.

User Email Requirement Each user must have a valid email address configured on their account in order to use SSPR.

Supported Password Reset Flows

User-Initiated (Logged In)

Users can reset their password while signed in to the Evo Portal:

Partner Portal

Path: Profile → Account Details

User Portal

Path: Settings

Evo Mobile App

Path: Settings → Password Reset

Flow:

User initiates reset from mobile app

Answers Security Questions

Sets new password

Evo Admin Assisted

MSPs can initiate password resets via:

Desired Tenant → Identities → Users → Desired User→ Password Reset tile

Choose Delivery Method

Option to override additional challenge ( If enabled via Policy )

Important Behavior Changes

Administrator-Controlled “Forgot Password”

The Forgot Password option is now disabled for end users when SSPR is enabled

Administrators retain full access to Forgot Password workflows

Locked-out users must contact the MSP help desk for assistance

Note: This change reduces exposure to external password reset abuse and ensures human-verified recovery when risk is highest.

Password Reset Limits

Maximum: 3 reset attempts per user per hour

Lockout can be cleared by Evo Admins under the users account under Identities → Users

Attempts reset automatically after 24 hours

New Policies that come with Self-Service Password Reset (SSPR)

Self-Service Password Reset: Controls self-service password reset and any additional challenge requirements.

This policy enables SSPR functionality Must be: Assigned a scope, OR Included in the Global Policy

Additional Controls: Ability to require additional authentication challenges during reset

Passwords Remembered: Number of previous passwords a user cannot reuse.

Default: 5 previous passwords Maximum: 24 Set to 0 to disable enforcement

This policy applies even without SSPR enabled.

Password complexity rule: Password complexity requirements such as length and character classes.

Configurable requirements include:

Minimum length

Maximum length

Banned password terms

Supported Rules:

At least one digit

At least one uppercase letter

At least one lowercase letter

At least one special character

Minimum length requirement

Maximum length limit

Cannot contain user-specific information

Maximum Length by Directory:

Azure / Entra / LDAP: 256 characters

Google Workspace / Evo Cloud: 100 characters

Key Takeaways for Partners

SSPR reduces ticket volume but still keeps MSPs in control for edge cases

Strong policy controls ensure security is not compromised

Help desk-assisted flows remain available and enhanced

All Directory integrations now support password write-back (when enabled)

Did this answer your question?

😞

😐

🤩

How do I manage my user licenses? (Billing and Administration) Evo Password Integration with ITGlue