Microsoft Entra ID SSPR Will Soon Require Registered Authentication Methods

Microsoft is changing how Self-Service Password Reset works in Microsoft Entra ID, and some users may need to update their recovery methods before September 2026.

According to Microsoft 365 Message Center notice MC1325414, SSPR will soon accept only registered authentication methods. This means users will no longer be able to reset passwords with unregistered contact details stored in the directory, such as a mobile number, business phone, or alternate email.

Microsoft Entra ID SSPR Is Getting Stricter

Today, some users can reset passwords using contact attributes already saved in their directory profile. These details may work even if the user did not register them as trusted authentication methods.

That behavior is going away. Microsoft will require users to register their password reset methods before they can use them for SSPR.

Phone numbers and alternate email addresses can still work, but only after Microsoft Entra ID treats them as registered and trusted authentication methods.

Rollout Starts in July

Microsoft will start prompting affected users to register authentication methods on July 6.

The enforcement phase begins on September 7. After that date, unregistered methods will no longer work for password resets. General availability is planned for September 2026.

Some Users May Lose Password Reset Access

Microsoft says 86% of Entra ID SSPR users already rely on registered methods, so most users should not notice any change.

The risk applies to users who still depend on older directory contact attributes. After enforcement begins, these users may fail password reset attempts until they register a valid method.

If they cannot register on their own, they will need help from their IT admin.

What Admins Should Do Now

Microsoft recommends that admins review SSPR coverage in the Microsoft Entra admin center.

Admins can check user registration details by going to Authentication methods and then User registration details.

They should make sure every user has at least one registered authentication method that meets the organization’s SSPR policy. Microsoft also recommends paying special attention to IT admin accounts, since losing reset access for privileged users can create bigger support and security problems.

Why Microsoft Is Making the Change

The change is part of Microsoft’s wider Secure Future Initiative.

Microsoft wants password resets to rely on verified authentication methods instead of basic directory contact data. This should reduce risk and make account recovery more consistent across Entra ID environments.

In other Microsoft security news, the company recently removed a blog post that claimed Windows 11 security was enough. Microsoft also explained what will happen to PCs that miss the Secure Boot update deadline, while Microsoft 365 Copilot passed another AI security audit with zero issues.

Via Neowin