Self-Service Password Reset Security Hardening: How to Close the SSPR Attack Surface That Bypasses MFA in Entra ID

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Self-Service Password Reset is architected as an exception to the normal authentication flow: it allows a user to prove their identity through alternative means (phone, email, authenticator app) and reset their password without knowing the current one. This exception is necessary for legitimate locked-out users but creates a parallel attack path. An attacker who can control the authentication methods registered for SSPR -- or who can pass the SSPR challenge using OSINT-derived answers -- can reset any account's password and immediately log in. The hardening focus is on authentication method quality, privileged account exemptions, and Conditional Access coverage.
SSPR Authentication Method Risk Matrix
SSPR supports multiple authentication methods with different resistance levels to attacker abuse:
Microsoft Authenticator app (push notification or code): Highest assurance. Requires the attacker to control the registered mobile device or steal the TOTP seed. Recommended as the primary SSPR method for all users.
FIDO2 security key: Highest assurance. Phishing-resistant. Requires physical possession of the registered key. Use for privileged users who have keys registered.
SMS / Voice call to phone number: Moderate risk. Vulnerable to SIM swapping, SS7 attacks, and call forwarding attacks. SIM swapping in particular is used in targeted account takeover against executives and high-value targets. Do not use as a sole SSPR method for any account with elevated access.
Office phone: Moderate risk. Easier to forward than mobile numbers in some enterprise telephony configurations. Same risk profile as SMS.
Email address (not corporate email): Moderate to high risk. If the backup email account is also compromised (or uses a weaker password), the SSPR path is broken. This method uses a separate email account outside the M365 tenant.
Security questions: Highest risk. Answers are frequently derivable from LinkedIn, social media, and public records databases (OSINT). Common security question categories (birthplace, mother's maiden name, high school, first car, pet name) have limited entropy and are systematically targeted. Disable this method entirely.
Configure method requirements:
Entra ID admin center > Protection > Password reset > Authentication methods
Number of methods required to reset: 2
Methods available to users: [uncheck Security questions, uncheck Email]
Required: Microsoft Authenticator, optionally add Mobile phone as second method only (not sole method)
Privileged Account SSPR Exclusion
No privileged account should be eligible for self-service password reset. Admin account password resets should require a manual helpdesk process with out-of-band identity verification.
Exclude privileged accounts from SSPR:
Entra ID admin center > Protection > Password reset > Properties
Self service password reset enabled: Selected (for group)
Select group: [All Users minus privileged admins exclusion group]
The recommended architecture:
- Create an Entra ID security group:
SSPR-Excluded-Privileged-Accounts - Add all accounts with admin roles to this group (automate with a dynamic group rule if using licensed Entra ID P1/P2)
- Configure SSPR to target a group that specifically excludes this group, OR configure SSPR for Selected groups and exclude the privileged group from the selected target
Dynamic group rule to capture all users with any admin role assignment (for exclusion):
Entra ID > Groups > New group > Dynamic membership rules
Rule: (user.assignedRoles -ne null)
Note: this requires Entra ID P1 license for dynamic group membership.
For global administrators and privileged role administrators specifically, consider using the Privileged Identity Management (PIM) breakglass account pattern: two emergency access accounts with FIDO2 hardware keys, stored credentials in a physical safe, and SSPR completely disabled. Document these accounts and test access quarterly.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Conditional Access Gaps During SSPR
SSPR authentication occurs before sign-in, which means standard Conditional Access policies that require compliant devices or MFA do not apply during the SSPR flow. This creates a policy gap:
The gap: A Conditional Access policy requiring MFA for all sign-ins to Office 365 does NOT block an attacker from using SSPR to reset a password from an unmanaged device from an unfamiliar country. SSPR is a pre-authentication flow and bypasses sign-in Conditional Access.
What does apply during SSPR: Authentication method requirements, the number of required methods, and optionally, SSPR Conditional Access authentication context (preview as of 2026).
Mitigations for the gap:
-
Require 2 strong methods: If SSPR requires Microsoft Authenticator (phone possession) AND a second factor, the attacker must simultaneously control two separate authentication channels.
-
Monitor SSPR events aggressively: Alert on SSPR password resets from new countries or from flagged IP ranges:
// Kusto: alert on SSPR from unusual location
AuditLogs
| where OperationName == "Reset password (self-service)"
| extend IPAddress = tostring(AdditionalDetails[?(@.key == "ipAddress")].value)
| extend Country = tostring(AdditionalDetails[?(@.key == "country")].value)
| where Country !in ("United States", "Canada") // Adjust to expected user locations
| project TimeGenerated, Identity, IPAddress, Country, ResultReason
- Restrict SSPR registration: Use the SSPR registration campaign (Entra ID > Authentication methods > Registration campaign) to require users to register strong methods before using SSPR, and audit registrations monthly for unexpected method changes (e.g., a registered Authenticator being removed and replaced with SMS).
Hybrid SSPR Writeback Security
In hybrid environments where on-premises AD is synced with Entra ID, SSPR password writeback allows a cloud SSPR event to reset the on-premises AD password. This creates a cloud-to-on-prem write path that requires careful security configuration.
The Entra Connect Sync service account used for writeback requires specific AD permissions:
- Reset Password on the user object
- Write lockoutTime on the user object
- Write pwdLastSet on the base object of each domain
Audit the Entra Connect service account permissions:
# Identify the Entra Connect sync service account
Get-ADUser -Filter {SamAccountName -like "MSOL_*"} | Select-Object SamAccountName, DistinguishedName
# Check the permissions granted to this account on the domain
$syncAccount = "DOMAIN\MSOL_<suffix>"
$domainDN = (Get-ADDomain).DistinguishedName
$acl = Get-Acl -Path "AD:\$domainDN"
$acl.Access | Where-Object {$_.IdentityReference -eq $syncAccount} | Format-Table
The sync account should have only the minimum required permissions. If it has GenericAll or Domain Admin membership, investigate and remediate immediately -- this is a critical privilege escalation path.
Additionally, monitor for SSPR writeback events in on-premises AD:
- Event ID 4723 (attempt to change account password) with caller computer being the Entra Connect server is expected
- Event ID 4723 with caller being any other system is suspicious and should alert
SSPR Registration Security and Audit Monitoring
SSPR is only as secure as the authentication methods registered. An attacker who gains temporary access to an account can register a new SSPR method and use it later for persistent access:
# Audit all SSPR method registration events in UAL over last 90 days
Connect-IPPSSession
$ssprRegs = Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-90) -EndDate (Get-Date) `
-Operations "User registered security info","User deleted security info" `
-ResultSize 5000
# Parse and export registration events
$ssprRegs | ForEach-Object {
$data = $_.AuditData | ConvertFrom-Json
[PSCustomObject]@{
Time = $_.CreationDate
User = $_.UserIds
Operation = $_.Operations
Method = $data.AdditionalDetails | Where-Object {$_.key -eq "Type"} | Select-Object -ExpandProperty value
IP = $data.ActorIpAddress
}
} | Export-Csv sspr-registration-audit.csv -NoTypeInformation
Alerts to configure (Entra ID > Monitoring > Alert rules or Microsoft Sentinel):
- SSPR method registered from a country not in the user's normal sign-in countries
- SSPR method registration immediately followed by a password reset (attack sequence: register new method, immediately use it to reset)
- Deletion of Authenticator app from SSPR methods and replacement with SMS (downgrade attack)
For organizations with Entra ID P2 (Privileged Identity Management), use Identity Protection's "User risk" policies to require re-authentication before SSPR registration is allowed when the user's risk score is elevated.
The bottom line
SSPR is a parallel authentication path that bypasses normal Conditional Access MFA requirements. The minimum hardening steps are: disable security questions, require 2 authentication methods, exclude all privileged accounts from SSPR eligibility, monitor SSPR reset and registration events for anomalous locations, and audit the Entra Connect service account permissions if hybrid writeback is enabled. For high-value targets, require Microsoft Authenticator (not SMS) as the SSPR method, and alert immediately on any SSPR method registration change.
Frequently asked questions
Can Conditional Access policies block SSPR from untrusted locations?
Not directly with standard Conditional Access. SSPR is a pre-authentication flow that runs before the user is signed in, so sign-in Conditional Access policies do not apply. Microsoft has a preview feature called Authentication Context for SSPR that allows organizations to apply Conditional Access to the SSPR registration process (requiring a compliant device for SSPR method registration). For SSPR reset attempts specifically, the primary control is the authentication method strength and the number of required methods, not location-based Conditional Access.
Should I disable SSPR for all users and require helpdesk-assisted resets?
Only for privileged accounts. For standard users, SSPR with strong authentication methods (Authenticator app + a second method) is more secure in practice than helpdesk-assisted resets, because helpdesk resets are frequently vulnerable to social engineering attacks (callers impersonating users to get their passwords reset). SSPR with strong methods reduces reliance on social engineering targets. The goal is strong SSPR, not no SSPR, for the general user population.
What happens to the on-premises AD account if SSPR writeback fails?
If the writeback fails (Entra Connect is offline, the sync service is stopped, or the service account lacks permissions), the cloud password reset completes but the on-premises AD password is not updated. The user can sign in to M365 with their new password but cannot log in to on-premises resources or domain-joined devices until the writeback synchronizes. This creates a temporary service disruption. Monitor Entra Connect writeback errors via the Entra ID Provisioning logs and alert on writeback failures.
How do attackers exploit security questions in SSPR?
Security question answers are trivially derivable from open-source intelligence. LinkedIn profiles list birthplaces, school names, and employers. Facebook profiles contain pet names, favorite sports teams, and family member names. Data brokers sell birth dates and family relationship data. High school yearbook photos link users to graduation years and school names. An attacker researching a specific target can compile likely security question answers in 15-30 minutes of OSINT research. This is why security questions should be disabled in every enterprise SSPR configuration -- they provide false assurance without meaningful resistance.
Can an attacker use SSPR to take over accounts without knowing the username?
Username enumeration via SSPR is a related but separate risk. Many SSPR implementations reveal whether a username exists by returning different responses for valid versus invalid accounts (e.g., 'We sent a reset link' vs. 'No account found'). Attackers can use this to validate email address lists before targeted phishing or credential stuffing. Configure SSPR to return a generic response regardless of whether the account exists: 'If an account matching that email exists, you will receive a reset link.' This prevents using SSPR as a username oracle. Microsoft Entra SSPR returns a generic response by default but verify this in your tenant if you have customized the SSPR flow.
How do I prevent SSPR from being used to bypass MFA requirements?
SSPR with phone-based verification can be exploited by an attacker who has access to the registered phone number to reset the account password and then gain access without satisfying MFA requirements on the new password. Harden SSPR to require MFA during the reset flow itself: in Entra ID SSPR settings, require two authentication methods and include only strong methods (Authenticator app notification, FIDO2 key) rather than SMS or voice call. Configure Conditional Access to require re-registration of MFA methods after a password reset (use the Require MFA re-registration after password change condition). This ensures that even if SSPR is abused to reset a password, the attacker cannot complete the MFA challenge without access to the authenticator app, which is bound to the original device.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
