Newsletter
Stay up to date with our monthly newsletter.
Covering the latest thought leadership, events, and news about identity security
What We Do
Partners
© MajorKey 2026

Microsoft recently released a major security update announcement for Microsoft Entra ID. Starting September 7, 2026, Microsoft Entra ID Self-Service Password Reset (SSPR) will only honor explicitly registered authentication methods. Phone numbers and alternate email addresses that merely exist in the directory will no longer count unless they have been formally registered.
While the update aims to close a persistent vulnerability in SSPR, the immediate danger for most enterprise organizations isn't the code change itself. The biggest risk is the operational blast radius resulting from the update.
This blog details what C-suite leaders need to know about the upcoming Microsoft Entra ID SSPR changes, its operational risks, and how to mitigate them.
Historically, Microsoft Entra ID allowed a security fallback: if a user needed to reset their password via SSPR but had never formally registered an authentication method, Microsoft Entra ID would pull a phone number or alternate email address directly from their user object properties in the directory.
That safety net is being turned off.
To align with modern identity governance and enforce true proof of possession, Microsoft Entra ID will soon reject these directory-sourced, unregistered attributes.
There are two dates to be aware of for this rollout:
July 6, 2026: Registration Campaign Begins
Microsoft will begin prompting users and admins to formally register their authenticators upon login.
September 7, 2026: Hard Enforcement Deadline Begins
Unregistered phone numbers and emails will no longer be accepted for SSPR. If a user has not registered an authentication method, they will be entirely locked out of self-service recovery
If your IT strategy treats this strictly as an automated backend patch, you are setting your helpdesk up for a massive wave of lockouts and escalating a routine access issue into a business continuity incident.
When users don’t have registered methods, self-service recovery falls back to IT. And when the gap is a privileged or break-glass account, a routine access issue can escalate fast because administrator recovery is stricter and emergency access must be intentionally designed and tested.
The organizations that navigate this transition successfully will treat it as an identity governance initiative, not a technical update. At MajorKey Technologies, we help clients establish visibility into authentication method coverage, strengthen privileged account resiliency, and implement readiness plans that reduce operational risk before it impacts the business.
If you're unsure whether your environment is ready for Microsoft's upcoming enforcement deadline, contact us for a Microsoft Entra ID readiness review with Microsoft identity experts.
More information from Microsoft can be found here.
No. This change specifically targets the identity verification paths within the Self-Service Password Reset (SSPR) workflow. However, if your users share registration methods across both MFA and SSPR (which is standard practice via Microsoft Entra’s combined registration experience), they are likely already compliant.
You cannot simply look at whether SSPR is "enabled" globally. You need to identify users where isSsprEnabled = true but isSsprRegistered = false. This can be audited inside the Microsoft Entra Admin Center under Protection > Authentication methods > User registration details.
This is one of the highest risks of the update. Emergency access accounts are often excluded from standard MFA policies and are rarely logged into, meaning they won't trigger the automated registration campaign prompts naturally. If these accounts rely on a static alternative email or phone number listed in the directory for emergency recovery, they will become unrecoverable via SSPR after September 7. These accounts must be audited and updated manually.
If a user hasn't explicitly registered an authentication method by September 7 and forgets their password, self-service recovery will fail. The user will be blocked and instructed to contact their IT administrator. At that point, a service desk agent or IAM admin will have to manually reset the password or issue a Temporary Access Pass (TAP) so the user can log in and complete their formal registration.

