Prevent Password Reuse in Entra ID/SSPR---Password Reuse Still Possible

LM-5132 250 Reputation points
2025-02-03T17:06:32.3566667+00:00

Hello,

Our company uses Entra ID, and we do not have an on-premises Active Directory (AD). We have enabled self-service password reset for all users, requiring two forms of authentication to reset passwords.

I can reset the password using the Self-Service Password Reset (SSPR) feature with a test user's account and reuse the same password. Microsoft documentation states this should not be possible:

"In Microsoft Entra ID, the last password cannot be reused when a user changes their password. This password policy applies to all user accounts that are created and managed directly in Microsoft Entra ID, and it cannot be modified."

https://learn.microsoft.com/en-us/microsoft-365/admin/manage/set-password-expiration-policy?view=o365-worldwide

This is not true, because I can reuse the last password when changing the password via SSPR.

How can I prevent password reuse in Entra ID SSPR?

Thank you.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Entra | Other
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator
    2025-03-03T22:41:31.1433333+00:00
    1 person found this answer helpful.

  2. Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator
    2025-02-04T07:08:57.04+00:00

    Hi @LM-5132
    Thank you for posting your issue on Microsoft Q&A.

    I understand that you are resetting the password using the Self-Service Password Reset (SSPR) feature with a test user's account and you can reuse the same password.
    "By design for Microsoft Entra ID, last password can be used when for passwords reset but cannot be used for password changes".

    In the document you provided also tells the same that the last password cannot be reused when a user changes their password, but last password can be used for password reset.

    Hope this helps. Do let us know if you have any further queries.

    If this answers your query, do click `Accept Answer` and `Yes`.

    Thanks,

    B. Siri Chandana.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.