Skip to Content

MC1325414: Microsoft Entra ID SSPR will require registered authentication methods starting September 7, 2026

By: Author Alex Lim

Posted on

Categories Update

Home » Update » MC1325414: Microsoft Entra ID SSPR will require registered authentication methods starting September 7, 2026

Summary

  • SSPR will require users to have explicitly registered authentication methods for password reset verification; directory attributes (mobilePhone, businessPhone, otherMails) will no longer be accepted unless registered.
  • This affects all users (including admins) in tenants with SSPR enabled across Public cloud and US Government clouds (GCC, GCC High, DoD).
  • Admins must review registration coverage, ensure each user has at least one registered authentication method that meets policy, and enable/allow the SSPR registration campaign.
  • Prepare helpdesk-assisted registration and communication to users to avoid password reset failures for users who don’t register methods.

Primary Service: Entra
Admin Impact: High
User Impact: High
Release Start: 01 Sept 2026
Release End: 15 Sept 2026
Services: Admin, Entra, Security
Category: Plan for change
Tags: Admin Action, User Adoption, Highlighted

History

5/28/2026 Item Added to Message Center

Microsoft Message

What and Why

You’re receiving this message because your organization uses Microsoft Entra ID Self-Service Password Reset (SSPR).

Currently, SSPR may allow users to verify their identity using contact information stored in directory attributes such as mobile phone, business phone, and alternate email, even if those values were never explicitly registered as authentication methods.

To strengthen identity security, SSPR will require explicitly registered authentication methods for verification. This change is part of Microsoft’s Secure Future Initiative and ensures password reset verification is based on trusted, user-validated methods rather than directory-sourced attributes.

Rollout Schedule

  • July 6, 2026: SSPR registration campaign begins prompting users and administrators to register authentication methods.
  • September 7, 2026: Enforcement begins. SSPR will no longer accept directory-sourced contact information for verification.
  • General Availability (Worldwide, GCC, GCC High): Early September 2026 through mid-September 2026

Impact on Your Organization

Who is affected

  • All users (including administrators) in tenants with SSPR enabled
  • Applies to Public cloud and US Government clouds (GCC, GCC High, DoD)

Platforms/Services

  • Microsoft Entra ID
  • Self-Service Password Reset (SSPR)
  • Web and admin portal experiences

What will happen

  • Only explicitly registered authentication methods will be accepted for SSPR verification.
  • Directory attributes (such as mobilePhone, businessPhone, otherMails) will no longer be valid unless registered.
  • Approximately 86% of SSPR verifications already use registered methods today.
  • Users without registered methods at enforcement will be:
    • Unable to complete password resets
    • Prompted to register methods or contact an administrator
  • The registration campaign will proactively prompt affected users starting July 6, 2026.

Action Required / Recommendations

Action is required before September 7, 2026.

  • Review authentication method registration coverage:
    • Go to Microsoft Entra admin centerAuthentication methodsUser registration details
  • Ensure all users (including admins) have at least one registered authentication method that satisfies your SSPR policy.
  • Allow or enable the SSPR registration campaign to prompt users automatically.
  • Plan fallback processes:
    • Helpdesk-assisted registration
    • Alternative onboarding scenarios for users unable to self-register
  • Communicate this change to:
    • IT admins and helpdesk teams
    • Users (encourage registration via My Security Info)

Learn more:

  • Manage user authentication methods | Entra admin center
  • Microsoft Q&A for Entra ID | Microsoft Security | Microsoft Entra | Microsoft Entra ID | Microsoft Learn
  • Password policies and account restrictions in Microsoft Entra ID | Authentication | Microsoft Entra ID | Microsoft Entra | Microsoft Learn
  • Prepopulate user authentication contact information for Microsoft Entra self-service password reset (SSPR) | Authentication | Microsoft Entra ID | Microsoft Entra | Microsoft Learn
  • Register security information (My Security Info)
  • Secure Future Initiative | Microsoft

Compliance Considerations

Question: Does the change alter how existing customer data is processed, stored, or accessed?

Answer: Yes. Directory attributes (such as phone/email) will no longer be used for SSPR unless explicitly registered as authentication methods.

Question: Does the change alter admin monitoring/reporting?

Answer: Yes. Admins can monitor registration coverage via updated reporting in the Entra admin center.

Question: Does the change include admin controls?

Answer: Yes. Admins control SSPR policies and registration requirements.