Action required: Microsoft Entra ID SSPR will require registered authentication methods starting September 7, 2026!
Currently, SSPR may allow users to verify their identity using contact information stored in directory attributes such as mobile phone, business phone, and alternate email, even if those values were never explicitly registered as authentication methods.
To strengthen identity security, SSPR will require explicitly registered authentication methods for verification. This change is part of Microsoft's Secure Future Initiative and ensures password reset verification is based on trusted, user-validated methods rather than directory-sourced attributes.
๐ฅ๐ผ๐น๐น๐ผ๐๐ ๐ฆ๐ฐ๐ต๐ฒ๐ฑ๐๐น๐ฒ:
โข August 6, 2026: SSPR registration campaign begins prompting users and administrators to register authentication methods if SSPR setting requires registration and users do not have enough methods.
โข September 7, 2026: Enforcement begins. SSPR will no longer accept directory-sourced contact information for verification.
โข General Availability (Worldwide, GCC, GCC High): Early September 2026 through mid-September 2026.
๐ช๐ต๐ผ ๐ถ๐ ๐ฎ๐ณ๐ณ๐ฒ๐ฐ๐๐ฒ๐ฑ:
โข All users (including administrators) in tenants with SSPR enabled.
โข Applies to Public cloud and US Government clouds (GCC, GCC High, DoD).
๐ฃ๐น๐ฎ๐๐ณ๐ผ๐ฟ๐บ๐/๐ฆ๐ฒ๐ฟ๐๐ถ๐ฐ๐ฒ๐:
โข Microsoft Entra ID.
โข Self-Service Password Reset (SSPR).
โข Web and admin portal experiences.
๐ช๐ต๐ฎ๐ ๐๐ถ๐น๐น ๐ต๐ฎ๐ฝ๐ฝ๐ฒ๐ป:
โข Only explicitly registered authentication methods will be accepted for SSPR verification.
โข Directory attributes (such as mobilePhone, businessPhone, otherMails) will no longer be valid unless registered.
โข Approximately 86% of SSPR verifications already use registered methods today.
โข Users without registered methods at enforcement will be:
ย ย ย ย ย ย โข Unable to complete password resets.
ย ย ย ย ย ย โข Prompted to register methods or contact an administrator.
โข The registration campaign will proactively prompt affected users starting August 6, 2026.
๐๐ฐ๐๐ถ๐ผ๐ป ๐ถ๐ ๐ฟ๐ฒ๐พ๐๐ถ๐ฟ๐ฒ๐ฑ ๐ฏ๐ฒ๐ณ๐ผ๐ฟ๐ฒ ๐ฆ๐ฒ๐ฝ๐๐ฒ๐บ๐ฏ๐ฒ๐ฟ ๐ณ, ๐ฎ๐ฌ๐ฎ๐ฒ:
โข Review authentication method registration coverage:
ย ย ย ย ย ย โข Go to Microsoft Entra admin center โ Authentication methods โ User registration details.
โข Ensure all users (including admins) have at least one registered authentication method that satisfies your SSPR policy.
โข Allow or enable the SSPR registration campaign to prompt users automatically.
โข Plan fallback processes:
ย ย ย ย ย ย โข Helpdesk-assisted registration.
ย ย ย ย ย ย โข Alternative onboarding scenarios for users unable to self-register.
โข Communicate this change to:
ย ย ย ย ย ย โข IT admins and helpdesk teams.
ย ย ย ย ย ย โข Users (encourage registration via My Security Info).
#Microsoft365 #EntraID #Cybersecurity #IAM
.@Office365#Microsoft365 DLP now allows OWA to switch to the client-side checking for rule violations used by the new Outlook. Sounds good, but before you switch, make sure that everything your DLP policies check for is covered...
https://t.co/lSNQfWzVs7
This is a big release, and a great example of the Microsoft security community in action.
โ AI agent security checks
โ Azure DevOps tests
โ CIS updates
โ Multi-tenant reporting
+ more
Watch or listen at https://t.co/2wK1Gfizx1
Microsoft introduces cross-tenant security group synchronization in Microsoft Entra ID!
A new capability that enables organizations to synchronize security groups across Microsoft Entra tenants.
This feature simplifies collaboration scenarios by allowing shared access to resources across tenants while maintaining centralized group management.
It also streamlines administration of multiple tenants by centralizing group membership control, reducing duplication and manual overhead.
๐๐ก๐๐ง ๐ญ๐ก๐ข๐ฌ ๐ฐ๐ข๐ฅ๐ฅ ๐ก๐๐ฉ๐ฉ๐๐ง:
General Availability (Worldwide, GCC, GCC High, DoD): Rollout begins in late April 2026 and completes by end of May 2026.
Read more: https://t.co/TGDkT3japv
#EntraID #Microsoft365 #Microsoft
๐๐ข๐ ๐ฒ๐จ๐ฎ ๐ค๐ง๐จ๐ฐ? You can create custom Entra Roles scoped to only specific applications/principals in Microsoft Entra > https://t.co/6uoZbCRasw
It's super easy to do and extremely effective, enabling privileged users to only be able to modify specific settings on specific applications without assigning them a built-in tenant-wide role!
#Microsoft #Entra
If you are not occasionally overwhelmed by what is going on with AI, you are either:
1) Not paying attention.
2) Not understanding what you are seeing.
3) Made of much sturdier stuff than I.
You can now deactivate app registration in Microsoft Entra ID!
Deactivating an app registration provides a reversible way to prevent the application from accessing protected resources without permanently removing it from your tenant.
When you deactivate an application, it immediately stops receiving new access tokens, but existing tokens remain valid until they expire. This approach is useful for security investigations, temporary suspension of suspicious applications, or when you need to maintain application configuration data.
Unlike permanently deleting an application, deactivation preserves all application metadata, permissions, and configuration settings, making it easy to reactivate the application if needed. The application remains visible in your tenant's enterprise applications list, but users can't sign in and no new tokens are issued.
When an application is deactivated, the following behavior occurs:
๐๐ฆ๐ฆ๐๐๐ข๐๐ญ๐ ๐๐๐๐๐๐ญ๐ฌ:
- New access token requests are denied
- Users can't sign in to the application
- Application can't access protected resources with new tokens
๐๐ซ๐๐ฌ๐๐ซ๐ฏ๐๐ ๐๐ฅ๐๐ฆ๐๐ง๐ญ๐ฌ:
- Existing access tokens remain valid until their configured lifetime expires
- Application configuration, permissions, and metadata are preserved
- Application remains visible in Enterprise applications list with deactivated state
- Service principal object is maintained in the tenant with "isDisabled": true
When users attempt to sign in to a deactivated application, they receive an error message indicating the application has been disabled by its owner: AADSTS7000112 - Application is disabled. This is different from other error messages like invalid credentials or access denied.
Learn more:
https://t.co/hB3bTORwHo
Important: Application owners can re-activate an application after it has been deactivated. Therefore, remove all owners from the application before deactivating it. This ensures that only administrators can re-activate the application.
#EntraID #Microsoft365 #Cybersecurity
Ever need to find out what Entra authentication methods your users are using but don't have Log Analytics/Sentinel? :)
It's not as difficult as you might think! To get started, log into the Entra portal, go to Sign-in logs, set the date range to 1 month, then download the JSON:
Microsoft recently updated the YouTube training for the exam
SC-300 - Microsoft Identity and Access Administrator
Bookmark this ๐ป
https://t.co/4FChbQKJbH
NEW Microsoft Entra SSE feature in public preview:
"IT Admins can now set detailed SPN-level policies, such as requiring MFA for cifs/* file shares, enabling compliant device access to MSSQL/* servers, and applying step-up authentication for sensitive RDP servers. This allows for precise risk-based segmentation and tailored service access."
https://t.co/8CMleW3UId
Over 28,000 Microsoft Exchange servers remain exposed to the internet with a critical vulnerability (CVE-2025-53786)!
This affects hybrid environments where an on-premises Exchange Server connects to Microsoft 365. If attackers gain admin rights on-premises, they could breach your cloud systems unnoticed.
Suppose you don't have an Exchange Server running anymore, but have previously configured the Hybrid Configuration Wizard or OAuth authentication between Exchange Server and your Exchange Online organization. You must still run the script to delete all certificates of the Office 365 Exchange Online first-party application's Service Principal.
If you're unsure whether action is needed, run the script to remove any leftover certificates!
Service Principal clean up:
https://t.co/aYCzD9Qb1T
CVE-2025-53786 (Microsoft):
https://t.co/yTTboQJ6lL
#ExchangeServer #ExchangeOnline #Cybersecurity #Microsoft365 #PowerShell
CRITICAL: Microsoft Releases Guidance on High-Severity Vulnerability (CVE-2025-53786) in Exchange Hybrid Deployments!
The Cybersecurity and Infrastructure Security Agency (CISA) issues an Emergency Directive (ED 25-02), as exploitation could lead to complete identity takeover across an organization's cloud and on-premises environments.
Attackers can use this vulnerability to escalate privileges in the Exchange Online cloud environment. This risk arises because Exchange Server and Exchange Online share the same service principal in hybrid configurations. This could allow an attacker with administrative access to an on-premises server to gain undetected access to the cloud environment.
While Microsoft says no exploit has been observed in the wild, CISA warns that the impact could be significant. Failure to address this vulnerability could compromise the identity integrity of an organization's Exchange Online (Microsoft 365) service.
CVE-2025-53786 (Microsoft):
https://t.co/sw4KYQlhH2
CISA:
https://t.co/XJzDSzPOVz
CISA Emergency Directive (ED 25-02):
https://t.co/4P3n2ft5QS
#ExchangeServer #ExchangeOnline #CISA #Cybersecurity #Microsoft365 #PowerShell
.@Office365 I'm not sure if many will want to run Purview eDiscovery cases via #PowerShell in app-only mode, including Azure Automation runbooks, but if you do, here's how: https://t.co/qydcSpL8ok
#Microsoft365