Microsoft Tightens Security for Self-Service Password Reset

Posted on by Tony Redmond

SSPR Will Require Authentication Methods for Password Resets

Message center notification MC1325414 deserves the attention of any Microsoft 365 tenant that uses the Entra ID Self-Service Password Reset (SSPR) facility to allow users to change their password without assistance.

When someone uses SSPR to changes their password, Entra ID requires them to verify their identity. Currently, while SSPR prefers using authenticated methods to verify identities, it can fall back and use contact information stored in Entra ID such as mobile phone numbers or alternative email addresses for verification. The issue is that directory attributes are easily updated, which exposes the possibility that a malicious actor might be able to update a phone number or email address and be then able to change a user’s password and gain access to their account.

To solve the problem, Microsoft will require explicitly registered authentication methods to verify user identities. In other words, a user must go to their Security Info page to register one of the sign-in (authentication) methods configured in the tenant (Figure 1). After successfully adding the selected authentication method to their account, the method can be used to verify the user’s identity when they change their password.

Choosing an authentication method that can be used with SSPR.
Figure 1: Choosing an authentication method that can be used with SSPR

Microsoft says that a user-validated method is safer than validating accounts based on directory attributes, and they’re right. The change aligns SSPR verification with the same authentication methods used for sign-in, and that’s a good thing.

Date Line for Deployment

The changeover will follow a two-phase approach:

  • July 6, 2026: Microsoft will initiate an SSPR registration campaign to prompt users and administrators who have not registered an authentication method to go ahead and do so.
  • September 6, 2026: SSPR enforces the requirement that password changes are only possible for accounts that have registered an authentication method. Users who have not registered an authentication method will be unable to change their password and will be directed to contact an administrator (or help desk) for assistance.

In MC1325414, Microsoft says that approximately 86% of SSPR verifications use registered authentication methods. That’s certainly a good base to work off, but 14% of the Microsoft 365 user population is 67.5 million accounts (based on 450 million Microsoft 365 paid seats). Not everyone uses SSPR, but the sheer size of Microsoft 365 indicates that there’s some work to be done.

Finding the User Accounts Who Need to Act

To discover the set of SSPR-enabled accounts that haven’t yet registered an authentication method, run the Get-MgReportAuthenticationMethodUserRegistrationDetail cmdlet from the Microsoft Graph PowerShell SDK (requires the AuditLog.Read.All permission). The cmdlet works with summary information extracted from Entra ID, and while the information is not up to date, it is good enough to work from. The data is the same as seen by going to the Authentication methods section of the Entra admin center and viewing User registration details.

This command runs the cmdlet with a filter to find user accounts that are SSPR enabled but haven’t got at least one registered authentication method:

Get-MgReportAuthenticationMethodUserRegistrationDetail -All -Filter "isSsprEnabled eq true and IsSsprRegistered eq false" | Format-Table UserPrincipalName, IsSsprEnabled, IsSsprRegistered -AutoSize

UserPrincipalName                            IsSsprEnabled IsSsprRegistered
-----------------                            ------------- ----------------
Brian.Weakliam@office365itpros.com                    True            False
Chris.Bishop@office365itpros.com                      True            False
Hans.Geering@office365itpros.com                      True            False
James.Ryan@office365itpros.com                        True            False
Lotte.Vetler@office365itpros.com                      True            False
Otto.Flick@office365itpros.com                        True            False

What should you do if some accounts are listed as needing to register an authentication method? As mentioned above, Microsoft will initiate a registration campaign on July 6 to encourage users to sign up for their preferred authentication method. If July 6 seems too far away and you think that vacation is likely to occupy peoples’ thoughts at that time, maybe you could launch your own registration campaign sooner. Or just start to send people email to ask them to do the right thing.

Remember Those Who Can’t Respond

It’s the nature of all things IT that some users will be unable to respond to calls and campaigns and won’t register an authentication method before the September 6 deadline. A weekly check against the accounts identified by the Get-MgReportAuthenticationMethodUserRegistrationDetail cmdlet is probably enough to keep an eye on the campaign and make sure that users are registering at the needed rate.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across the Microsoft 365 ecosystem. Subscribe to the Office 365 for IT Pros eBook to receive insights updated monthly into what happens within Microsoft 365, why it happens, and what new features and capabilities mean for your tenant.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.