When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Microsoft is making a major change to Entra ID authentication

Microsoft is tightening security for Entra ID password resets, with a major authentication change set to roll out later this year.

Neowin · · Hot! with 0 comments

The MIcrosoft Entra ID logo

Microsoft Entra ID is the Redmond tech company's identity and access management (IAM) system that powers authentication, single sign-on (SSO), multi-factor authentication (MFA), and conditional access policy mechanisms used to govern access to internal organizational resources and external applications. It was previously known as Azure Active Directory (AAD), before being renamed to Entra ID in 2023. Now, Microsoft has announced a significant change for Entra ID customers.

In a Message Center update tagged as MC1325414, Microsoft has begun informing customers that it will soon allow only registered authentication mechanisms for the Self-Service Password Reset (SSPR) portal. Right now, users can leverage any attribute stored in their contact information such as mobile phone, business phone, and alternate email, even if these methods have not been registered as authentication methods.

In a bid to further enhance security, SSPR will mandate authenticated and trusted methods rather than relying on contact attributes stored in the directory. From July 6, Microsoft will kick off a campaign that will prompt impacted users to register their authentication methods. Then, on September 7, the company will begin its enforcement process after which the unregistered methods will not be supported. This means that general availability is scheduled for September 2026.

Microsoft has noted that 86% of Entra ID SSPR users already use registered methods, so they are not impacted. However, after September 7, affected users will not be able to perform password resets and will be asked to register an authentication method or contact their IT admins. It's worth noting that this change does not mean that phone numbers and alternate email addresses won't be allowed as authentication methods, but it does mandate their registration first.

IT admins have been encouraged to view their SSPR coverage details via Microsoft Entra admin center > Authentication methods > User registration details, and ensure that all users (especially IT admins) have at least one registered authentication method. They should also have fallback plans in place and begin informing users about this configuration change already.

Microsoft has flagged this as a "Major Change" in the Message Center, which makes sense considering it introduces significant compliance considerations. It also enhances the cybersecurity posture of firms as Entra ID is an essential component protecting organizational resources. This change is a part of Microsoft's Secure Future Initiative (SFI), which aims to beef up cybersecurity perimeters.

PaintNET
Next Article

Paint.NET can finally be downloaded from the "right" place

Apple Music Logo
Previous Article

Apple Music could be getting a low cost subscription tier

0 Comments

Load the comments and join the conversation!

Read the comments, ask the editors questions, show respect and join the conversation.

Click here