Table of Contents
Summary
- Security Questions will be retired from Microsoft Entra Self Service Password Reset (SSPR), impacting users relying on this method for password resets.
- Users without alternative authentication methods will be unable to reset their passwords after the change.
- Organizations need to transition to supported authentication options such as SMS, voice, Authenticator push, and email.
- Documentation and processes that depend on Security Questions will become obsolete, potentially causing disruptions.
- Compliance considerations require a review of Conditional Access policies to ensure alignment with new recovery methods.
Admin Impact: High
User Impact: High
Release Start: 01 Mar 2027
Release End: 31 Mar 2027
Services: Entra
Category: Plan for change
Tags: User Adoption, Admin Action, Retirement
History
2/18/2026 Item Added to Message Center
Microsoft Message
Introduction
Starting in March 2027, Security Question method will be retired from Microsoft Entra Self Service Password Reset (SSPR). After this date, any user who still relies on Security Questions will be unable to complete password reset flows.
Security Questions are retiring due to low usage, lower success rates, and security risks (phishable and easily socially engineered). Security Questions can be exploited through social engineering, which increases the risk of unauthorized password resets and account compromise. Retiring them improves the security and reliability of password reset, helping users regain access more consistently while reducing helpdesk burden.
When this will happen
- Begin to set up your users with alternate authentication methods as soon as possible.
- March 2027: Security Questions will be fully retired as a method to Self Service Password Reset.
- After that, users will not be able to use Security Questions to complete SSPR.
How this affects your organization
Who is affected:
- All tenants using Microsoft Entra ID Self‑Service Password Reset
- Users who are currently registered with Security Questions for password reset
What will happen:
After Security Questions are removed:
- Users who do not have the required number of supported password reset methods will be unable to reset their password.
- SSPR flows will no longer display Security Questions as a verification option.
- Any workflows, documentation, or helpdesk processes depending on Security Questions will fail.
What you can do to prepare
You need to migrate to new authentication methods. Choose one of the following options:
Option 1: Transition now using currently supported methods
Disable Security Questions and move users to:
- SMS
- Voice
- Authenticator push
- Authenticator app (software OATH TOTP)
- Hardware OATH (TOTP)
Option 2: Use Verified ID for high-assurance recovery (Public Preview)
- Microsoft Entra Verified ID combines Face Check and government-issued ID validation to re-establish trust in total lockout scenarios.
- Ideal for organizations seeking strong identity verification.
Option 3: Prepare for Modernized SSPR with Passkey Support (not yet available)
- We are evolving the traditional SSPR experience into an inline, modern flow.
- This update will introduce passkey support—covering synced passkeys, device-bound credentials, macOS PSSO, and Windows Hello for Business.
- These capabilities are part of our longer‑term roadmap and are not yet available for use in SSPR. We will share more details as they become ready.
Learn more:
- If you need technical help, please submit a support request.
- Select authentication methods and registration options
- Overview of Microsoft Entra ID Account Recovery
- Self-service password reset deep dive
Compliance considerations
Compliance question: Does the change modify, interrupt, or disable Conditional Access policies?
Explanation: Self‑service password reset authentication methods are evaluated in conjunction with Conditional Access policies. Administrators should review existing Conditional Access configurations to ensure alternative recovery methods align with organizational access requirements once Security Questions are retired.