CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 01, 2026

Microsoft Tightens Entra ID Password Resets With New Authentication Change

Cybersecurity News Archived Jun 01, 2026 ✓ Full text saved

Microsoft has announced a significant security update to its Entra ID Self-Service Password Reset (SSPR) feature, introducing stricter authentication requirements designed to reduce identity-based attacks. The update mandates the use of explicitly registered authentication methods, removing reliance on directory-stored contact information that has not been formally verified. The change is part of Microsoft’s broader Secure […] The post Microsoft Tightens Entra ID Password Resets With New Authent

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Microsoft Tightens Entra ID Password Resets With New Authentication Change By Abinaya June 1, 2026 Microsoft has announced a significant security update to its Entra ID Self-Service Password Reset (SSPR) feature, introducing stricter authentication requirements designed to reduce identity-based attacks. The update mandates the use of explicitly registered authentication methods, removing reliance on directory-stored contact information that has not been formally verified. The change is part of Microsoft’s broader Secure Future Initiative, which aims to strengthen identity verification across its platforms. Enforcement is scheduled to begin on September 7, 2026, following a registration campaign that will start on July 6, 2026, prompting users to configure proper authentication methods in advance. Currently, Microsoft Entra ID allows users to verify their identity during password reset using contact details stored in directory attributes such as mobile phone numbers, business phone numbers, or alternate email addresses. Microsoft Hardens Entra ID Password Resets These values may exist in the directory without having been explicitly registered or validated as authentication methods, which introduces potential security risks. Under the new policy, only authentication methods explicitly registered by users will be accepted for SSPR verification. Directory attributes including mobilePhone, businessPhone, and otherMails will no longer be considered valid unless they are formally registered within the authentication methods framework. As a result, users who have not completed this registration process will be unable to reset their passwords once enforcement begins. Microsoft notes that approximately 86 percent of current password reset verifications already rely on registered methods, indicating that most organizations may experience minimal disruption. However, the remaining users who depend on unregistered directory information could face access issues if organizations do not take proactive measures. The update applies broadly across all environments where Entra ID is deployed, including public cloud and U.S. government cloud environments such as GCC, GCC High, and DoD. This wide scope means that both enterprise and government organizations must prepare accordingly. From an operational standpoint, the change will affect all users in tenants with SSPR enabled, including administrators. Organizations must ensure that users have at least one compliant authentication method registered before the enforcement deadline. Microsoft recommends that administrators review registration coverage through the Entra admin center, enable the upcoming registration campaign to drive user compliance, and communicate the changes clearly to IT teams, helpdesk staff, and end users. Additionally, organizations are advised to establish fallback processes for users who may be unable to self-register. This includes implementing helpdesk-assisted registration workflows and alternative onboarding procedures for restricted or remote users. Without these measures in place, helpdesk volumes may increase significantly after enforcement, as unregistered users will be blocked from completing password resets. According to Message ID MC1325414 published on May 28, 2026, the update improves compliance controls by restricting password reset flows to verified authentication methods only. It also enhances administrative visibility by providing improved reporting on authentication method registration within the Entra admin center. Overall, this update reflects a broader industry trend toward stronger identity assurance and reduced reliance on unverified data, helping organizations mitigate the risks of account takeover and unauthorized access. Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Google Chrome’s Device-Bound Session Credentials Now GA to Block Account Takeovers India’s CERT-In Asks Organizations to Patch Vulnerabilities in Systems Within 12 hours Microsoft Investigates MFA Setup Failure and MySigns-In Portal Outage JINX-0164 Threat Actor Using LinkedIn Social Engineering to Deploy Custom macOS Malware Hackers Use Fake Adobe Document Cloud Pages to Deliver ScreenConnect Malware Latest News Cyber Security News New DriveSurge Threat Actor Uses ClickFix and Fake Updates to Infect Website Visitors Cyber Security Microsoft Investigates MFA Setup Failure and MySigns-In Portal Outage Cyber Security News Famous Chollima Hackers Target PHP Developers Using Compromised Packagist Package Cyber Security News Hackers Attacking Signal Users to Steal Backups in New Wave of Attacks Cyber Security News Microsoft Clarifies It Won’t Sue Security Researchers Amid Nightmare-Eclipse Controversy
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 01, 2026
    Archived
    Jun 01, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗