MC1325414 – Microsoft Entra ID SSPR will require registered authentication methods starting September 7, 2026

Product:

Entra, Microsoft 365 admin center, SharePoint

Platform:

Online, US Instances, Web, World tenant

Status:

Change type:

User impact, Admin impact

Links:

Details:

Summary:
Starting September 7, 2026, Microsoft Entra ID SSPR will require explicitly registered authentication methods for password reset verification, disallowing directory-sourced contact info unless registered. A registration campaign begins July 6, 2026. Organizations must ensure users register methods to avoid reset failures.

Details:
[What and Why]
You're receiving this message because your organization uses Microsoft Entra ID Self-Service Password Reset (SSPR).
Currently, SSPR may allow users to verify their identity using contact information stored in directory attributes such as mobile phone, business phone, and alternate email, even if those values were never explicitly registered as authentication methods.
To strengthen identity security, SSPR will require explicitly registered authentication methods for verification. This change is part of Microsoft's Secure Future Initiative and ensures password reset verification is based on trusted, user-validated methods rather than directory-sourced attributes.
[Rollout Schedule]
July 6, 2026: SSPR registration campaign begins prompting users and administrators to register authentication methods.
September 7, 2026: Enforcement begins. SSPR will no longer accept directory-sourced contact information for verification.
General Availability (Worldwide, GCC, GCC High): Early September 2026 through mid-September 2026
[Impact on Your Organization]
Who is affected
All users (including administrators) in tenants with SSPR enabled
Applies to Public cloud and US Government clouds (GCC, GCC High, DoD)
Platforms/Services
Microsoft Entra ID
Self-Service Password Reset (SSPR)
Web and admin portal experiences
What will happen
Only explicitly registered authentication methods will be accepted for SSPR verification.
Directory attributes (such as mobilePhone, businessPhone, otherMails) will no longer be valid unless registered.
Approximately 86% of SSPR verifications already use registered methods today.
Users without registered methods at enforcement will be:
Unable to complete password resets
Prompted to register methods or contact an administrator
The registration campaign will proactively prompt affected users starting July 6, 2026.
[Action Required / Recommendations]
Action is required before September 7, 2026.
Review authentication method registration coverage:
Go to Microsoft Entra admin center -> Authentication methods -> User registration details
Ensure all users (including admins) have at least one registered authentication method that satisfies your SSPR policy.
Allow or enable the SSPR registration campaign to prompt users automatically.
Plan fallback processes:
Helpdesk-assisted registration
Alternative onboarding scenarios for users unable to self-register
Communicate this change to:
IT admins and helpdesk teams
Users (encourage registration via My Security Info)
Learn more:
Manage user authentication methods | Entra admin center
Microsoft Q&A for Entra ID | Microsoft Security | Microsoft Entra | Microsoft Entra ID | Microsoft Learn
Password policies and account restrictions in Microsoft Entra ID | Authentication | Microsoft Entra ID | Microsoft Entra | Microsoft Learn
Prepopulate user authentication contact information for Microsoft Entra self-service password reset (SSPR) | Authentication | Microsoft Entra ID | Microsoft Entra | Microsoft Learn
Register security information (My Security Info)
Secure Future Initiative | Microsoft
[Compliance Considerations]
QuestionAnswer
Does the change alter how existing customer data is processed, stored, or accessed?Yes. Directory attributes (such as phone/email) will no longer be used for SSPR unless explicitly registered as authentication methods.
Does the change alter admin monitoring/reporting?Yes. Admins can monitor registration coverage via updated reporting in the Entra admin center.
Does the change include admin controls?Yes. Admins control SSPR policies and registration requirements.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2026-05-29

updated:
2026-05-29

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

Password Reset Failures
Users without registered authentication methods will be unable to complete password resets, leading to potential lockouts and access issues.
   - roles: End Users, IT Administrators
   - references: https://learn.microsoft.com/entra/identity/authentication/concept-sspr-policy?tabs=ms-powershell, https://www.microsoft.com/trust-center/security/secure-future-initiative?msockid=22346ecb805f631739b27a6e81726266

Increased Helpdesk Load
The inability to reset passwords will increase the volume of support requests to helpdesk teams, straining resources and response times.
   - roles: Helpdesk Staff, IT Administrators
   - references: https://learn.microsoft.com/answers/tags/455/microsoft-security-entra-entra-id, https://learn.microsoft.com/entra/identity/authentication/howto-sspr-authenticationdata

User Frustration and Productivity Loss
Users may experience frustration and productivity loss due to the inability to reset passwords independently, impacting their work efficiency.
   - roles: End Users, Team Leaders
   - references: https://learn.microsoft.com/entra/identity/authentication/concept-sspr-policy?tabs=ms-powershell, https://www.microsoft.com/trust-center/security/secure-future-initiative?msockid=22346ecb805f631739b27a6e81726266

Compliance Risks
Failure to register authentication methods may lead to compliance issues with security policies, affecting the organization's security posture.
   - roles: Compliance Officers, IT Security Managers
   - references: https://learn.microsoft.com/entra/identity/authentication/concept-sspr-policy?tabs=ms-powershell, https://www.microsoft.com/trust-center/security/secure-future-initiative?msockid=22346ecb805f631739b27a6e81726266

Communication Gaps
Lack of communication regarding the changes may lead to unpreparedness among users and administrators, exacerbating the impact of the change.
   - roles: IT Administrators, Communications Team
   - references: https://learn.microsoft.com/answers/tags/455/microsoft-security-entra-entra-id, https://learn.microsoft.com/entra/identity/authentication/howto-sspr-authenticationdata

Configutation Options**

XXXXXXX ... paid membership only

Opportunities**

XXXXXXX ... free basic plan only

Potentional Risks**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

XXXXXXX ... free basic plan only