Message Center
Updated June 26, 2026: We have updated the timeline. Thank you for your patience.
What and Why
You’re receiving this message because your organization uses Microsoft Entra ID Self-Service Password Reset (SSPR).
Currently, SSPR may allow users to verify their identity using contact information stored in directory attributes such as mobile phone, business phone, and alternate email, even if those values were never explicitly registered as authentication methods.
To strengthen identity security, SSPR will require explicitly registered authentication methods for verification. This change is part of Microsoft’s Secure Future Initiative and ensures password reset verification is based on trusted, user-validated methods rather than directory-sourced attributes.
Rollout Schedule
Impact on Your Organization
Who is affected
Platforms/Services
What will happen
Action Required / Recommendations
Action is required before September 7, 2026.
Learn more:
Compliance Considerations
| Question | Answer |
| Does the change alter how existing customer data is processed, stored, or accessed? | Yes. Directory attributes (such as phone/email) will no longer be used for SSPR unless explicitly registered as authentication methods. |
| Does the change alter admin monitoring/reporting? | Yes. Admins can monitor registration coverage via updated reporting in the Entra admin center. |
| Does the change include admin controls? | Yes. Admins control SSPR policies and registration requirements. |
What and Why
You’re receiving this message because your organization uses Microsoft Entra ID Self-Service Password Reset (SSPR).
Currently, SSPR may allow users to verify their identity using contact information stored in directory attributes such as mobile phone, business phone, and alternate email, even if those values were never explicitly registered as authentication methods.
To strengthen identity security, SSPR will require explicitly registered authentication methods for verification. This change is part of Microsoft’s Secure Future Initiative and ensures password reset verification is based on trusted, user-validated methods rather than directory-sourced attributes.
Rollout Schedule
Impact on Your Organization
Who is affected
Platforms/Services
What will happen
Action Required / Recommendations
Action is required before September 7, 2026.
Learn more:
Compliance Considerations
| Question | Answer |
| Does the change alter how existing customer data is processed, stored, or accessed? | Yes. Directory attributes (such as phone/email) will no longer be used for SSPR unless explicitly registered as authentication methods. |
| Does the change alter admin monitoring/reporting? | Yes. Admins can monitor registration coverage via updated reporting in the Entra admin center. |
| Does the change include admin controls? | Yes. Admins control SSPR policies and registration requirements. |