TL;DR: Microsoft’s September 7, 2026 Entra ID SSPR change will close a real exposure by requiring explicitly registered authentication methods, but it still leaves credential reset authority with the user, according to Bravura Security. The control becomes harder to abuse, yet the governance model behind Storm-2949 remains intact.
NHIMG editorial — based on content published by Bravura Security: Entra ID SSPR enforcement closes one gap but leaves reset governance intact
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: How should security teams handle SSPR when recovery depends on unregistered contact data?
A: They should inventory every account that depends on directory-sourced phone numbers or emails, then force explicit enrollment for approved methods before the enforcement date.
Q: Why does explicit method registration not fully solve password reset risk?
A: Because it strengthens the verification step without changing who makes the reset decision.
Q: What breaks when help desk teams absorb too many assisted resets?
A: The recovery process stops being a low-risk support function and becomes a privileged access problem.
Practitioner guidance
- Audit recovery dependence on directory attributes Identify every SSPR flow that currently relies on HR-synced phone numbers, alternate emails, or other unregistered contact fields, then map those accounts to a remediation queue before the enforcement date.
- Prioritise privileged accounts for explicit enrollment Require phishing-resistant, explicitly registered methods for IT staff, executives, and service owners first, because lockout risk and blast radius are highest in those populations.
- Review support-role privilege exposure Validate which help desk or identity admin roles are being used to absorb recovery demand and remove standing directory-level privilege where delegated workflows can handle exceptions.
What's in the full article
Bravura Security's full analysis covers the operational detail this post intentionally leaves for the source:
- The exact SSPR enrollment workflow and how Microsoft distinguishes registered methods from directory contact attributes.
- The practical implications for organisations that rely on HR sync, hybrid directory data, or mixed recovery workflows.
- The vendor's comparison of enterprise-managed credential delivery versus user-driven password reset.
- The supporting examples around Storm-2949, privileged support roles, and recovery governance.
👉 Read Bravura Security's analysis of the Entra ID SSPR enforcement change →
Entra ID SSPR enforcement: what it means for reset governance?
Explore further
Credential reset authority is a governance model, not a feature toggle. The September 7 change improves method assurance, but it does not change the fact that the user remains the custodian of the credential in SSPR. That governance premise was designed for a world where the reset decision could safely sit with the individual account holder. It fails when adversaries can social-engineer the holder at the moment of approval. The implication is that teams must reassess whether user-mediated reset belongs in the critical path at all.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means privileged access is often broader than teams think.
A question worth separating out:
Q: Who is accountable when a user-approved reset is abused?
A: The accountability chain usually spans identity governance, help desk operations, and the owning application or directory team, because the abuse emerges from policy design as much as from the attack itself. Frameworks such as the NIST Cybersecurity Framework 2.0 place this squarely in govern and protect, not only in incident response.
👉 Read our full editorial: Entra ID SSPR enforcement fixes exposure, not reset governance