Microsoft has announced a security update to its Entra ID Self-Service Password Reset feature, introducing stricter authentication requirements aimed at reducing identity-based attacks. The change will require users to rely only on explicitly registered authentication methods, ending the use of unverified directory-stored contact information for password reset verification.
Stricter Verification Under Secure Future Initiative
The update is part of Microsoft’s broader Secure Future Initiative, which seeks to strengthen identity verification across its platforms. Enforcement is scheduled to begin on September 7, 2026, after a registration campaign starting on July 6, 2026, to prompt users to configure proper authentication methods in advance.
FCRF’s Flagship Cyber Law Certification Returns With a New Four-Week Cohort
Currently, Microsoft Entra ID allows users to verify their identity during password resets using contact details stored in directory attributes, including mobile phone numbers, business phone numbers and alternate email addresses.
Microsoft said such values may exist in the directory without having been explicitly registered or validated as authentication methods, creating potential security risks.
Unregistered Methods to Be Blocked
Under the new policy, only authentication methods explicitly registered by users will be accepted for Self-Service Password Reset verification. Directory attributes including mobilePhone, businessPhone and otherMails will no longer be treated as valid unless formally registered within the authentication methods framework.
Users who do not complete the registration process will be unable to reset their passwords once enforcement begins. Microsoft noted that about 86 percent of current password reset verifications already rely on registered methods, meaning most organisations may face limited disruption.
However, remaining users who depend on unregistered directory information could face access issues unless organisations take proactive steps before the deadline.
Enterprises and Government Tenants Told to Prepare
The update applies broadly across environments where Entra ID is deployed, including public cloud and US government cloud environments such as GCC, GCC High and DoD. The change will affect all users in tenants with Self-Service Password Reset enabled, including administrators.
Organisations have been advised to ensure that users have at least one compliant authentication method registered before enforcement begins. Microsoft has recommended that administrators review registration coverage through the Entra admin center, enable the upcoming registration campaign and clearly communicate the changes to IT teams, helpdesk staff and end users.
According to Message ID MC1325414 published on May 28, 2026, the update improves compliance controls by restricting password reset flows to verified authentication methods only. It also improves administrative visibility by providing better reporting on authentication method registration within the Entra admin center.
Microsoft said the change reflects a wider industry move toward stronger identity assurance and reduced reliance on unverified data, helping organisations limit the risks of account takeover and unauthorised access.
