Microsoft 365 Message Center item MC1325414

MC1325414 - (Updated) Microsoft Entra ID SSPR will require registered authentication methods starting September 7, 2026

Starting September 7, 2026, Microsoft Entra ID SSPR will require users to have explicitly registered authentication methods for password reset verification, disallowing directory-sourced contact info unless registered. A registration campaign begins August 6, 2026, urging users to register methods to avoid reset failures.

Message Center ID
MC1325414
Category
plan For Change
Severity
normal
Services
Microsoft Entra
Tags
Updated message, User impact, Admin impact
Published
2026-05-28
Last updated
2026-06-26
Expires
2026-10-14
Action required by
2026-09-06

Updated June 26, 2026: We have updated the timeline. Thank you for your patience. [What and Why]You’re receiving this message because your organization uses Microsoft Entra ID Self-Service Password Reset (SSPR).Currently, SSPR may allow users to verify their identity using contact information stored in directory attributes such as mobile phone, business phone, and alternate email, even if those values were never explicitly registered as authentication methods.To strengthen identity security, SSPR will require explicitly registered authentication methods for verification. This change is part of Microsoft’s Secure Future Initiative and ensures password reset verification is based on trusted, user-validated methods rather than directory-sourced attributes.[Rollout Schedule]August 6, 2026: SSPR registration campaign begins prompting users and administrators to register authentication methods if SSPR setting requires registration and users do not have enough methods.September 7, 2026: Enforcement begins. SSPR will no longer accept directory-sourced contact information for verification.General Availability (Worldwide, GCC, GCC High): Early September 2026 through mid-September 2026[Impact on Your Organization]Who is affectedAll users (including administrators) in tenants with SSPR enabledApplies to Public cloud and US Government clouds (GCC, GCC High, DoD)Platforms/ServicesMicrosoft Entra IDSelf-Service Password Reset (SSPR)Web and admin portal experiencesWhat will happenOnly explicitly registered authentication methods will be accepted for SSPR verification.Directory attributes (such as mobilePhone, businessPhone, otherMails) will no longer be valid unless registered.Approximately 86% of SSPR verifications already use registered methods today.Users without registered methods at enforcement will be:Unable to complete password resetsPrompted to register methods or contact an administratorThe registration campaign will proactively prompt affected users starting July 6, 2026.[Action Required / Recommendations]Action is required before September 7, 2026.Review authentication method registration coverage:Go to Microsoft Entra admin center → Authentication methods → User registration detailsEnsure all users (including admins) have at least one registered authentication method that satisfies your SSPR policy.Allow or enable the SSPR registration campaign to prompt users automatically.Plan fallback processes:Helpdesk-assisted registrationAlternative onboarding scenarios for users unable to self-registerCommunicate this change to:IT admins and helpdesk teamsUsers (encourage registration via My Security Info)Learn more:Manage user authentication methods | Entra admin centerMicrosoft Q&A for Entra ID | Microsoft Security | Microsoft Entra | Microsoft Entra ID | Microsoft LearnPassword policies and account restrictions in Microsoft Entra ID | Authentication | Microsoft Entra ID | Microsoft Entra | Microsoft LearnPrepopulate user authentication contact information for Microsoft Entra self-service password reset (SSPR) | Authentication | Microsoft Entra ID | Microsoft Entra | Microsoft LearnRegister security information (My Security Info)Secure Future Initiative | Microsoft [Compliance Considerations]QuestionAnswerDoes the change alter how existing customer data is processed, stored, or accessed?Yes. Directory attributes (such as phone/email) will no longer be used for SSPR unless explicitly registered as authentication methods.Does the change alter admin monitoring/reporting?Yes. Admins can monitor registration coverage via updated reporting in the Entra admin center.Does the change include admin controls?Yes. Admins control SSPR policies and registration requirements.