Microsoft tightens Self-Service Password Reset in 2026

SSPR stands for Self-Service Password Reset. It lets users reset their own password without calling the help desk, by confirming their identity with for example an authenticator app, an SMS code or an alternate email address.

The feature comes in two variants, and this is where the license matters:

• •Cloud-only reset (for accounts that live in Entra ID): included in all Microsoft 365 plans.
• •Reset with writeback to on-premises Active Directory (password writeback): requires Entra ID P1. This is typically relevant for organizations with a hybrid setup, where user accounts sync between an on-premises server and the cloud.

Entra ID P1 (formerly Azure AD Premium P1) is included with Microsoft 365 Business Premium, Microsoft 365 E3, E5 and E7. If you only have Business Basic or Standard, P1 must be purchased separately to get writeback.

The two changes below apply to the reset flow itself and therefore affect both variants.

Today SSPR can in some cases verify a user based on contact details stored in the directory, for example a phone number or an email address entered by an administrator. Microsoft is stopping that.

From 7 September 2026, SSPR only accepts sign-in methods the user has actively registered themselves. Details pulled directly from the directory no longer count as a valid method.

To give users time, Microsoft starts a registration campaign:

Microsoft notes that about 86 percent of all SSPR verifications already use registered methods today. So it is the last group without registration you need to reach.

The second change is purely technical and requires no action from you. Microsoft removes the old CAPTCHA (the distorted letters you have to type) that users meet in the web SSPR flow.

Instead, Microsoft uses two things behind the scenes:

• •Backend throttling that slows down suspicious automated traffic.
• •Behavior-based abuse detection that recognizes attack patterns rather than posing a task to a human.

The rollout runs from late July 2026 and completes around mid-August 2026. Microsoft stresses that it does not affect users' ability to reset their password. Users skip an extra step, and the protection against automated attacks happens with no setup on your side.

The most important deadline is the registration requirement on 7 September. Here is how to get ready:

Most of these changes affect everyone, regardless of license, because they apply to the reset flow itself. But if you want password writeback (a reset that also updates an on-premises Active Directory in a hybrid setup), that requires Entra ID P1.

Entra ID P1 (the former name was Azure AD Premium P1) is included with:

If you have Business Basic or Standard, Entra ID P1 can be purchased separately. But before you do, it is worth calculating whether a move to Business Premium gives more value, because on top of P1 you also get device management with Intune and Defender for Business.

Sources: Microsoft Message Center MC1325414 and MC1400824, and Microsoft Learn on SSPR licensing requirements.