MC1325414Microsoft Entra ID SSPR will require registered authentication methods starting September 7, 2026

What and Why

You’re receiving this message because your organization uses Microsoft Entra ID Self-Service Password Reset (SSPR).

Currently, SSPR may allow users to verify their identity using contact information stored in directory attributes such as mobile phone, business phone, and alternate email, even if those values were never explicitly registered as authentication methods.

To strengthen identity security, SSPR will require explicitly registered authentication methods for verification. This change is part of Microsoft’s Secure Future Initiative and ensures password reset verification is based on trusted, user-validated methods rather than directory-sourced attributes.

Rollout Schedule

• July 6, 2026: SSPR registration campaign begins prompting users and administrators to register authentication methods.
• September 7, 2026: Enforcement begins. SSPR will no longer accept directory-sourced contact information for verification.
• General Availability (Worldwide, GCC, GCC High): Early September 2026 through mid-September 2026

Impact on Your Organization

Who is affected

• All users (including administrators) in tenants with SSPR enabled
• Applies to Public cloud and US Government clouds (GCC, GCC High, DoD)

Platforms/Services

• Microsoft Entra ID
• Self-Service Password Reset (SSPR)
• Web and admin portal experiences

What will happen

• Only explicitly registered authentication methods will be accepted for SSPR verification.
• Directory attributes (such as mobilePhone, businessPhone, otherMails) will no longer be valid unless registered.
• Approximately 86% of SSPR verifications already use registered methods today.
• Users without registered methods at enforcement will be:
  • Unable to complete password resets
  • Prompted to register methods or contact an administrator
• The registration campaign will proactively prompt affected users starting July 6, 2026.

Action Required / Recommendations

Action is required before September 7, 2026.

• Review authentication method registration coverage:
  • Go to Microsoft Entra admin center → Authentication methods → User registration details
• Ensure all users (including admins) have at least one registered authentication method that satisfies your SSPR policy.
• Allow or enable the SSPR registration campaign to prompt users automatically.
• Plan fallback processes:
  • Helpdesk-assisted registration
  • Alternative onboarding scenarios for users unable to self-register
• Communicate this change to:
  • IT admins and helpdesk teams
  • Users (encourage registration via My Security Info)

Learn more:

• Manage user authentication methods | Entra admin center
• Microsoft Q&A for Entra ID | Microsoft Security | Microsoft Entra | Microsoft Entra ID | Microsoft Learn
• Password policies and account restrictions in Microsoft Entra ID | Authentication | Microsoft Entra ID | Microsoft Entra | Microsoft Learn
• Prepopulate user authentication contact information for Microsoft Entra self-service password reset (SSPR) | Authentication | Microsoft Entra ID | Microsoft Entra | Microsoft Learn
• Register security information (My Security Info)
• Secure Future Initiative | Microsoft 

Compliance Considerations