Microsoft has announced a firm enforcement date for a change that will affect every organisation using Microsoft Entra Self-Service Password Reset. From September 7, 2026, users will only be able to reset their own passwords using methods they have explicitly registered. Phone numbers and email addresses stored in directory properties — but never formally registered — will no longer be accepted. If you have not already audited your SSPR configuration and confirmed your users have registered methods, the clock is running.
What Is Actually Changing
Today, Microsoft Entra SSPR accepts two types of contact data for verification: methods that a user has explicitly registered (via My Security Info or a registration campaign), and contact data sourced directly from directory properties — specifically mobilePhone, businessPhone, and otherMails on the user object — even if the user has never gone through an authentication method registration flow.
After September 7, only the first category is accepted. Directory-sourced properties that were never registered will be ignored. A user whose only "method" is a phone number populated by HR into the directory, but who never registered it as an authentication method, will be unable to reset their password through SSPR.
Why Microsoft is making this change
Directory-sourced phone numbers carry no proof of possession — they were entered by an administrator or HR system, not verified by the user. Allowing them for password reset creates a gap where an attacker who manipulates directory data could trigger a password reset to a phone they control. Requiring explicit registration closes that gap by ensuring the user themselves verified the method.
Key Dates
July 6, 2026
Registration campaign begins
Microsoft automatically prompts affected users to register authentication methods during sign-in. No admin action needed to trigger this — it runs automatically for users who lack a registered method.
September 7, 2026
Enforcement begins
SSPR stops accepting unregistered directory-sourced methods. Users with only directory phone numbers or emails and no registered methods will be unable to self-reset their password.
This change applies to all users including administrators, across Public cloud, GCC, GCC High, and DoD environments.
Who Is at Risk
The users most likely to be caught out are:
- Employees onboarded via HR provisioning where mobile or business phone was populated in the directory but the user was never sent through a security info registration flow
- Users in organisations that relied on the legacy SSPR "contact info" model without enforcing the combined registration experience
- Administrators whose only registered method is a directory phone number — the enforcement applies to admins too
- Organisations that migrated from on-premises AD where phone numbers were synced via Entra Connect but authentication method registration was never rolled out
What to Do Before July 6
You have until July 6 before Microsoft's automatic campaign starts. Use this window to proactively identify and resolve gaps so users are not surprised during sign-in with a registration prompt.
Audit who has registered authentication methods
In the Microsoft Entra admin center, go to Protection → Authentication methods → User registration details. Filter for users with SSPR enabled but zero registered methods. These are your at-risk users.
Run a registration campaign before July 6
Go to Protection → Authentication methods → Registration campaign. Configure it to prompt users who are missing methods. Running this yourself now means you control the messaging and timing — rather than waiting for Microsoft's automatic campaign to start.
Communicate to users before the prompt appears
Send an email or Teams message to users in scope telling them they will see a prompt to register their security info and why. A heads-up prevents helpdesk tickets from users confused by an unexpected registration screen at sign-in.
Pre-populate registration for bulk users (optional)
Administrators can pre-register phone numbers or email addresses on behalf of users using the Microsoft Entra admin center or Microsoft Graph API. This is especially useful for large numbers of users who may not complete self-registration before the deadline.
Check the related Windows Hello and Platform SSO change
From July 6, Conditional Access policies targeting the Register security information action will also apply to Windows Hello for Business provisioning and macOS Platform SSO registration. If you have CA policies scoped to security info registration, verify they do not block these flows unintentionally.
Quick summary for IT admins
- SSPR stops accepting unregistered directory phone/email on September 7, 2026
- Microsoft's automatic registration campaign starts July 6, 2026 — run your own before then
- Audit user registration status now: Entra admin center → Authentication methods → User registration details
- Applies to all users and admins across all cloud environments
- Pre-populate registration for bulk users if needed via the admin center or Graph API
Official Microsoft References
- Microsoft Tech Community — Microsoft Entra ID Security Updates: What Organisations Need to Do Now
- Microsoft Tech Community — What's New in Microsoft Entra: June 2026
- Microsoft Learn — Self-Service Password Reset Deep Dive
- Microsoft Learn — Prepopulate Contact Information for SSPR
- Microsoft Learn — Microsoft Entra Releases and Announcements