Most engineers think…
Most people treat MFA, SSPR and passwordless as three separate configuration screens. That mental model creates gaps — users get prompted to register twice, or lose SSPR access because a phone number stored in Active Directory never became a registered authentication method.
Microsoft Entra ID has one authentication-methods policy that is the single source of truth for every factor. Methods you enable there flow into MFA challenges, SSPR gates and passwordless sign-in simultaneously. The combined registration experience surfaces them to users in one unified flow. Getting the policy right — and understanding the September 2026 SSPR enforcement change — is what separates a working identity deployment from a help-desk flood.
① The authentication-methods policy — one control plane for every factor
The authentication-methods policy (Entra admin centre ▸ Protection ▸ Authentication methods) is the single place you enable or disable each credential type: passkeys (FIDO2), Microsoft Authenticator (push notifications + passwordless phone sign-in), OATH hardware/software TOTP tokens, SMS, Voice call, Email OTP, Temporary Access Pass (TAP) and Certificate-Based Authentication (CBA). Each method can be targeted to all users or to specific include/exclude groups, so you can roll out passkeys to a pilot group before enabling them tenant-wide.
The policy feeds three use-cases simultaneously. When a user is challenged for MFA, Entra offers only the methods the policy allows and the user has registered. When a user starts an SSPR flow, only policy-allowed and explicitly registered methods appear as reset options. When a user enrols for passwordless, the same policy governs which credentials they can add. Writing the policy correctly once prevents users hitting dead ends across all three flows.
Where do you enable Microsoft Authenticator push notifications as an MFA method in Entra ID?
② SSPR — scope, gates, methods and the 2026 enforcement change
SSPR is enabled at Entra admin centre ▸ Protection ▸ Password reset. The scope can be set to None, a selected group, or All users. The number of methods required to reset is 1 or 2 — Microsoft recommends 2 for higher assurance. Allowed reset methods draw from the authentication-methods policy: Authenticator app notification, Authenticator app code, Email, Mobile phone SMS, Mobile phone call, Office phone, and Security questions (for cloud-only accounts).
The September 2026 enforcement change
Until now, SSPR could accept contact information stored in directory attributes — a mobilePhone or otherMail value added by HR sync — even if that value was never explicitly registered as an authentication method. Starting September 7, 2026, SSPR will accept only methods the user (or an admin) has explicitly registered in their security-info. Microsoft is running a registration campaign from July 6, 2026 to prompt affected users. Admins should audit SSPR registration coverage in the Entra admin centre now and run a targeted registration campaign for any user who relies solely on directory attributes.
Also available: password writeback (requires Entra ID P1 + Microsoft Entra Connect or Cloud Sync) pushes the new password from the cloud back to on-premises Active Directory in real time, so hybrid users do not end up with a split password state.
The single control plane in Entra ID that enables or disables each credential type (passkey, Authenticator, TOTP, SMS, TAP, CBA) with per-group targeting for all three use-cases: MFA, SSPR and passwordless.
Self-Service Password Reset — users verify identity with 1 or 2 registered authentication methods and set a new password without calling the help desk. From September 2026, only explicitly registered methods are accepted.
Global banned-password list (Microsoft-managed) + custom banned list (up to 1,000 org terms) checked at every password change or reset, with optional on-premises agents for AD DS domain controllers.
Cloud mechanism that temporarily blocks cloud authentication for an account after repeated failed attempts. Tracks familiar vs unfamiliar locations separately; does not lock the on-premises AD account.
One method is easier to set up but risky — if that one method (e.g. a phone number) becomes inaccessible, the user is locked out. Two methods gives a fallback and is the Microsoft-recommended configuration for production. Enable both Authenticator app code and email OTP as minimum.
Starting September 7, 2026, which of the following will SSPR no longer accept for verification?
③ Password protection — banned passwords and smart lockout
Microsoft Entra Password Protection enforces a global banned-password list maintained by Microsoft that is applied automatically to every tenant with no configuration needed. It catches common weak choices — not just dictionary words, but character-substitution variants such as P@ssw0rd. Organisations can layer a custom banned-password list (up to 1,000 terms) with company-specific words — brand names, product codes, city names common in credentials — applied at every password change or reset. Password Protection can also be extended on-premises via agents installed on domain controllers, bringing the same banned-list logic to AD DS password changes.
Smart lockout operates silently in the cloud. After a configurable number of consecutive failed password attempts (default threshold: 10 in the cloud), Entra ID temporarily blocks that account from cloud authentication for an increasing lockout duration. Smart lockout tracks familiar vs unfamiliar locations separately, so a legitimate user on their usual device is less likely to be blocked by an attacker trying from a new IP. Admins can adjust the lockout threshold and duration in Entra admin centre ▸ Protection ▸ Authentication methods ▸ Password protection. Importantly, smart lockout does not lock the on-premises AD account — hybrid environments need separate AD fine-grained password policies for that.
Smart lockout only throttles cloud authentication in Entra ID. If an attacker is hitting your on-premises AD directly (e.g. via Kerberos or LDAP on the LAN), smart lockout is blind to those attempts. Configure AD fine-grained password policies and account lockout policies on your domain controllers separately.
▶ Watch a user reset their password through SSPR end-to-end
Step through the healthy SSPR path, then Break it to see what happens when a user has no registered method.
A user at your Bengaluru office keeps picking 'Techclick@2024' as their password. What prevents this?
④ Combined registration — one flow for security-info and MFA
Combined registration (also called the combined security-info registration experience) is the unified portal at aka.ms/mysecurityinfo where users register all their authentication methods — MFA second factors, SSPR reset methods and passwordless credentials — in a single flow. Before combined registration existed, users faced two separate enrolment prompts (one for MFA, one for SSPR), which caused confusion and duplicate registrations. Combined registration is enabled by default for all new and most existing tenants; legacy per-feature registration pages are being retired.
The registration campaign feature in the authentication-methods policy lets admins schedule a prompt — a non-dismissible interrupt after successful sign-in — that nudges users who have not yet registered their security info. You can target campaigns to specific groups and set a snooze period (up to 14 days). This is the primary mechanism Microsoft recommends for the July 2026 SSPR campaign. Temporary Access Pass (TAP) integrates tightly here: issue a TAP to a new or locked-out user, they sign in, and combined registration immediately walks them through adding a permanent second factor — no old password required.
Priya, an IAM engineer at a Pune-based IT services firm, faces this
After enabling SSPR for all 4,000 users, the help desk still receives dozens of 'I can't reset my password' calls. Investigation reveals many users only have a phone number in their Active Directory attribute — it was synced from HR but never registered as an authentication method.
SSPR was relying on directory-attribute phone numbers (mobilePhone) rather than explicitly registered methods. Starting September 2026 this will be blocked entirely; even before that, users without a registered method see no valid gate.
Entra admin centre ▸ Protection ▸ Password reset ▸ Registration — filter for users with 0 registered methods. Cross-check against SSPR-enabled scope.
Entra admin centre ▸ Protection ▸ Authentication methods ▸ Registration campaignEnable a registration campaign targeting the SSPR-scoped group, set a 7-day snooze. Issue TAPs to accounts completely locked out. Before September 7, 2026, verify all users in scope have at least 1 explicitly registered method.
Re-run the registration coverage report: all SSPR-enabled users show 1+ registered methods. Help-desk SSPR tickets drop to near zero within two weeks.
Go to Entra admin centre ▸ Protection ▸ Password reset ▸ Registration and check the 'Users registered for self-service password reset' report. Any user showing 0 registered methods who is in your SSPR scope will fail to reset from September 2026. Run the registration campaign now, not in August.
A new employee has no password yet. Which Entra feature lets them sign in and immediately register a permanent second factor without needing an existing credential?
🤖 Ask the AI Tutor
Tap any question — instant, scoped to this lesson. No login, no waiting.
Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.
📝 Wrap-up assessment — six more
You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.
🧠 In your own words
Type one line: what is the difference between what the authentication-methods policy controls and what Conditional Access controls? Then compare with the expert version.
🗣 Teach a friend
Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.
📖 Glossary
- Authentication-methods policy
- The Entra ID control plane that enables or disables each credential type (passkey, Authenticator, TOTP, SMS, TAP, CBA) with per-group targeting, feeding MFA, SSPR and passwordless simultaneously.
- SSPR (Self-Service Password Reset)
- Feature that lets users reset or unlock their account by verifying identity with 1 or 2 registered authentication methods — no help-desk call required.
- Password writeback
- Feature (requires Entra ID P1 + Entra Connect or Cloud Sync) that syncs a new SSPR-set password from Entra ID to on-premises Active Directory in real time.
- Smart lockout
- Entra ID cloud mechanism that silently throttles authentication attempts after repeated failures, tracking familiar vs unfamiliar locations; does not lock the on-prem AD account.
- Custom banned-password list
- An organisation-defined list of up to 1,000 terms (brand names, product codes, etc.) that Entra Password Protection blocks at every password change or reset.
- Combined registration
- Unified enrolment portal (aka.ms/mysecurityinfo) where users register MFA, SSPR and passwordless credentials in one flow, replacing legacy dual-prompt experience.
- Temporary Access Pass (TAP)
- A time-limited, admin-issued passcode in Entra ID that lets a user sign in without a password to bootstrap combined registration or recover a locked account.
- Registration campaign
- A scheduled interrupt in Entra ID that prompts users without security-info to register their authentication methods — primary tool for the July 2026 SSPR prep campaign.
📚 Sources
- Microsoft Learn — Authentication methods in Microsoft Entra ID. learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods
- Microsoft Learn — How it works: Microsoft Entra self-service password reset. learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-howitworks
- Microsoft Learn — Password protection in Microsoft Entra ID. learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad
- Microsoft Tech Community — Microsoft Entra ID security updates: What organisations need to do now. techcommunity.microsoft.com/blog/microsoft-entra-blog/microsoft-entra-id-security-updates-what-organizations-need-to-do-now/4522024
- Microsoft Learn — Combined security information registration for Microsoft Entra ID. learn.microsoft.com/en-us/entra/identity/authentication/concept-registration-mfa-sspr-combined
- Microsoft Learn — Temporary Access Pass in Microsoft Entra ID. learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-temporary-access-pass
What's next?
Got authentication methods down? Next, go deep on Conditional Access policies — how named locations, sign-in risk, device compliance and authentication-strength requirements let you enforce exactly the right factor at the right moment.