What and Why
We are updating bot protection in Microsoft Entra self-service password reset (SSPR) by replacing the legacy CAPTCHA with modern backend throttling and behavior-based abuse detection. This change improves security, accessibility, and reliability by reducing friction for users while strengthening protection against automated attacks and account enumeration. No configuration changes are required. This change is fully managed by Microsoft.
Rollout Schedule
General Availability (Worldwide): Rollout will begin in late July 2026 and is expected to complete by mid-August 2026.
Impact on Your Organization
Who is affected
- All Microsoft Entra tenants using self-service password reset (SSPR)
Platforms/Services
- Microsoft Entra, self-service password reset (web flow)
What will happen
- The legacy CAPTCHA challenge will be removed from the SSPR experience.
- Users will continue to reset passwords as they do today without additional prompts.
- Backend throttling and behavior-based detection will protect against bots and abuse.
- No users will be blocked from completing SSPR.
- There is no impact to users' ability to reset their passwords.
- No changes to authentication methods, policies, or configurations.
- No new admin controls will be introduced.
- The feature is enabled by default and managed by Microsoft.
Action Required/Recommendations
No action is required.
As an optional best practice:
- Inform your helpdesk that CAPTCHA prompts will no longer appear in SSPR flows.
- Update internal documentation if it references CAPTCHA during password reset.
Compliance considerations
No compliance considerations identified, review as appropriate for your organization.