Microsoft changes password reset checks from September 2026
Microsoft Message Center item MC1325414 says Microsoft Entra ID self-service password reset will require explicitly registered authentication methods from 7 September 2026. A registration campaign begins on 6 July 2026. After enforcement starts, directory-sourced contact details such as mobile phone, business phone, and alternate email will not be accepted for password reset verification unless they are registered as authentication methods.
Before this change, a user might still reset a forgotten password using contact details that were stored in their profile, even if they had never deliberately registered those details for recovery. That made password reset feel simple, but it also left a hidden dependency most people only discovered when they were already locked out. Now the recovery path depends on registered security information. For everyday Microsoft 365 users, the practical risk is not a new security rule to memorise; it is losing the normal self-service route and needing admin help at the worst moment because no compatible method was set up in time.
Analysis
Open My Security Info and make sure you have at least one registered method that works for self-service password reset. If your organisation starts showing the July registration prompt, treat it as account-recovery setup rather than optional housekeeping.
Pulse published by Collab365 Spaces. Cite as "Microsoft changes password reset checks from September 2026", Collab365 Spaces. 1 source referenced.