Microsoft Entra ID SSPR to Require Registered Authentication Methods for Password Reset

Microsoft is strengthening password reset security in Microsoft Entra ID with a major update to its Self-Service Password Reset (SSPR) process. Commercial customers are now being notified that only explicitly registered authentication methods will be accepted for identity verification.

Microsoft Entra ID Self-Service Password Reset (SSPR) is a feature that allows users to reset or unlock their accounts on their own without needing help from IT support. It works by verifying a user’s identity through pre‑registered authentication methods, such as a phone number, email, or authenticator app. This makes it a convenient and secure way to regain access while reducing helpdesk workload and improving overall user productivity.

Currently, SSPR may allow users to confirm their identity using contact details (such as phone numbers or alternative email addresses) stored in directory attributes. This feature works even if those details were not explicitly configured as authentication methods.

“To strengthen identity security, SSPR will require explicitly registered authentication methods for verification. This change is part of Microsoft’s Secure Future Initiative and ensures password reset verification is based on trusted, user-validated methods rather than directory-sourced attributes,” the company explained on the Microsoft 365 Admin Center.

New registration campaign begins next month

Microsoft will roll out this change in phases, starting with a registration campaign on July 6, 2026, encouraging both users and administrators to configure their authentication methods. Full enforcement will follow on September 7, 2026, after which only registered methods will be accepted for verification in Self-Service Password Reset (SSPR).

From that point, users without registered methods will be unable to reset their passwords and will be prompted to enroll or contact an administrator for assistance. The update will be gradually deployed across global and government cloud environments from early to mid-September 2026.

This change affects all organizations that have SSPR enabled across both public cloud environments and U.S. government cloud environments. It applies specifically to Microsoft Entra ID as well as its Self-Service Password Reset (SSPR) functionality and covers both the web interface and administrative portal experiences.

IT teams urged to audit and update user authentication methods

Before September 7, 2026, organizations need to take proactive steps to prepare for the upcoming change. This includes reviewing how many users have registered authentication methods by checking the relevant details in the Microsoft Entra admin center and ensuring that every user, including administrators, has at least one method that meets the SSPR requirements. It is also important to enable the built-in registration campaign so users are automatically prompted to complete their setup.

Additionally, administrators should establish backup support options for situations where users cannot register on their own. This may include providing helpdesk-assisted enrollment or creating alternative onboarding processes to ensure uninterrupted access and smooth password recovery for all users.