TL;DR
- Reset Rule: Microsoft Entra ID password resets will require pre-registered recovery methods after September 7.
- Enrollment Push: Microsoft plans a registration campaign to move users off stored contact data and onto approved factors.
- Enrollment Rate: Microsoft says about 86% of SSPR verifications already use registered methods, leaving a smaller deadline group to fix.
- Admin Impact: Accounts that miss the cutoff may lose self-service recovery and send more reset traffic to IT teams.
Entra ID password resets will require registered authentication methods after September 7. Under the new rule, recovery will depend on approved methods users enrolled in advance instead of on directory details that were not typically approved as recovery factors.
Users who have not already enrolled a recovery factor are among the users likely to feel the change first. Microsoft says about 86% of SSPR verifications already use registered methods, which leaves a smaller but still meaningful group that could lose self-service recovery if admins do not close the gap before the deadline.
Users who arrive at enforcement may have to register one or contact an administrator if they do not already have an approved recovery factor. For tenants, that turns a narrow identity-policy change into a practical access and support issue.
How the Reset Rule Changes
Current reset flows can still rely on directory attributes such as mobile phone, business phone, and alternate email in some cases. After enforcement, those stored values will work only when they have already been set up as approved recovery methods.
User accounts synchronized from on-premises with Entra Connect can populate SSPR-related user records before a person manually enrolls a recovery factor. In practice, that helps explain why some tenants may see phone numbers or alternate email addresses already present in the service even when those values are not yet trusted as registered reset factors.
Microsoft still lists general availability in September 2026 after the July campaign begins, giving tenants roughly two months to prepare. Even for organizations that already manage identity policy closely, that is a short window to find weakly enrolled accounts, verify that prepopulated records map to approved methods, and fix gaps before reset requests fall back to IT.
Why Admins Need a Registration Push
Microsoft applies the change across public cloud and US government cloud variants, including GCC, GCC High, and DoD environments. Organizations that run mixed tenant estates or tightly controlled access policies will have to work against the same timeline across those environments.
Admin teams are being pushed to review registration coverage in the Entra admin center and identify people who still lack an approved recovery factor. Stored contact data can prepopulate user records, but that convenience does not remove the need for each affected person to complete method registration before the cutoff.
Users can also encounter a prompt asking for more information during sign-in before they get full access. During normal account use, that built-in prompt can shift part of the enrollment work away from reminders or manual outreach.
Accounts that still lack a registered method may run into service desk bottlenecks. For admins, that remains the clearest operational consequence of a policy update that might otherwise look like a minor change in reset wording.
Where the Change Fits in Microsoft’s Identity Hardening
When self-service password reset is used, Entra password policies are checked. Microsoft also says phone numbers and alternate email addresses remain valid recovery factors when they are registered first, which sharpens the distinction between stored account data and methods the service is prepared to trust during recovery.
Administrator accounts already use a strong default two-gate password reset policy by default, and this rollout extends that stricter posture deeper into password recovery.
Microsoft has alreadz used an automatic passkey-profile rollout for other Entra changes this year, giving tenants another example of a staged identity change with a short preparation window before defaults take effect. For teams with weak enrollment now, the July warning period looks like the practical window to close recovery gaps before password reset traffic starts landing back with IT.
