Later this year, Microsoft will implement a significant change to how users can reset their passwords within Entra ID. Starting in September 2026, the platform will only accept explicitly registered authentication methods for self-service password recovery.
The change was announced in Message Center post MC1325414. Currently, users of the Self-Service Password Reset (SSPR) platform can, in some cases, verify their identity using contact information stored in the directory, such as a mobile phone number, work phone number, or alternate email address. This information does not necessarily need to be registered as an authentication method.
Starting September 7, this will change. Only authentication methods that have been explicitly registered and validated in advance will still be accepted for password reset. Contact information that exists solely as a directory attribute will no longer be accepted.
Registration campaign starting in July
On July 6, Microsoft will launch a campaign to notify users who have not yet set up a registered authentication method. The new policy will then be enforced starting in September. Users without a registered method will no longer be able to reset their password independently and will first need to add an authentication method or contact the IT department.
According to Microsoft, approximately 86 percent of Entra ID users who use SSPR already use registered authentication methods. Nothing will change for this group.
According to Neowin, the change does not mean that phone numbers or alternative email addresses will disappear as verification methods. Organizations can continue to use this information, provided users explicitly register them as an authentication method within Entra ID.
Microsoft advises administrators to check in a timely manner which users have not yet set up a registered authentication method. This information is available via the Entra management portal under the registration details for authentication methods.
Accounts with administrator rights deserve particular attention. If these users do not have a valid registered verification method, they may encounter problems with password recovery after September. Microsoft also recommends that organizations have emergency procedures in place for users who can no longer recover their accounts on their own.
Part of the Secure Future initiative
Microsoft has classified this change as a Major Change. This classification is used for updates that have a clear impact on administration, compliance, or user processes.
This tightening of requirements is part of the Secure Future Initiative (SFI), the multi-year security program through which Microsoft aims to better protect its products and services against attacks. Identity management plays a central role in this. For many organizations, Entra ID serves as the gateway to cloud applications, corporate data, and internal systems. By allowing only registered authentication methods for password recovery, Microsoft reduces the risk that attackers will exploit contact information that was once recorded but is no longer actively managed or monitored.