25,151 questions
Well, for Entra, this is by design and documented:
https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy
Prevent Password Reuse in Entra ID/SSPR---Password Reuse Still Possible
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 12%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL5%3C/text%3E%3C/svg%3E)
LM-5132
250
Reputation points
Hello,
Our company uses Entra ID, and we do not have an on-premises Active Directory (AD). We have enabled self-service password reset for all users, requiring two forms of authentication to reset passwords.
I can reset the password using the Self-Service Password Reset (SSPR) feature with a test user's account and reuse the same password. Microsoft documentation states this should not be possible:
"In Microsoft Entra ID, the last password cannot be reused when a user changes their password. This password policy applies to all user accounts that are created and managed directly in Microsoft Entra ID, and it cannot be modified."
This is not true, because I can reuse the last password when changing the password via SSPR.
How can I prevent password reuse in Entra ID SSPR?
Thank you.
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Entra | Other
2,596 questions
2 answers
Sort by: Most helpful
-
Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator2025-03-03T22:41:31.1433333+00:00 -
LM-5132 250 Reputation points
2025-03-14T14:43:39.0666667+00:00 I can reuse the same password for both instances shown in the screenshot you provided.
When I update my password on myaccount.microsoft.com, I can reuse the same password.
Reuse prevention must only apply if there is a global password expiration policy in place, but we don't have such a policy since it's no longer considered a best practice.
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 51%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator2025-02-04T07:08:57.04+00:00 Hi @LM-5132
Thank you for posting your issue on Microsoft Q&A.I understand that you are resetting the password using the Self-Service Password Reset (SSPR) feature with a test user's account and you can reuse the same password.
"By design for Microsoft Entra ID, last password can be used when for passwords reset but cannot be used for password changes".In the document you provided also tells the same that the last password cannot be reused when a user changes their password, but last password can be used for password reset.
Hope this helps. Do let us know if you have any further queries.
If this answers your query, do click
`Accept Answer`and`Yes`.Thanks,
B. Siri Chandana.
-
Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator
2025-02-05T06:18:49.4766667+00:00 Hi @LM-5132
Following up to see if the above answer was helpful. If this answers your query, do clickAccept AnswerandYes, if you have any further query do let us know. -
Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator
2025-02-06T05:06:15.84+00:00 Hi @LM-5132
Following up to see if the above answer was helpful. If this answers your query, do clickAccept AnswerandYes, if you have any further query do let us know. -
LM-5132 250 Reputation points
2025-02-18T15:12:09.1533333+00:00 This still allows me to reuse the same password when required to create a new password using SSRP.
When I click on "Forgot my password" on the Microsoft 365 login in page, the process requires me to create a new password. If I put my old password in the "create a new password" it accepts my old password as my new password.
Below is where I am able to enter my old password and it accepts it as my new password.
Thank you
-
LM-5132 250 Reputation points
2025-02-18T15:21:46.1533333+00:00 A password reset in SSPR, requires a new password. But I guess this is not considered a password change.
ok, Thank you
-
LM-5132 250 Reputation points
2025-02-18T15:35:14.3433333+00:00 I logged into myaccount.microsoft.com. I changed my password and reused the old password and it accepted it. I did not use SSPR like before. This proves that I am able to reuse my old password.
Below is where I put my old password in and it accepted it.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 5%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
-
LM-5132 250 Reputation points
2025-02-20T15:55:53.4+00:00 Thank you very much.
I am assuming that password reuse is only blocked when a password expiration time is set and a user is required to reset their password every 60 or 90 days. However, NIST does not recommend password expiration anymore.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 3%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIS%3C/text%3E%3C/svg%3E)
IT-S 0 Reputation points2025-02-21T12:35:35.5633333+00:00 Any update on this? We are dealing with same issue.
-
LM-5132 250 Reputation points
2025-02-21T13:04:29.9733333+00:00 No update yet.
Realistically, if a user is utilizing Self-Service Password Reset (SSPR), it is likely because they have forgotten their password and will be creating a new one. Similarly, if a user is resetting their password in their Office.com profile, they are probably voluntarily changing it to something new.
I have not found any settings for password reuse in Azure or Entra ID. It must be for on-prem AD.
The National Institute of Standards and Technology (NIST) and the SANS Institute no longer recommend setting password expiration as a best practice. I am wondering if enforcement of password reuse policies is only applicable to companies that still implement password expirations via on-prem AD.
What are you experiencing? Does your company use a password expiration time limit?
-
IT-S 0 Reputation points
2025-02-21T13:20:53.4166667+00:00 We do have a password expiration time limit.
-
IT-S 0 Reputation points
2025-02-21T13:23:43.2333333+00:00 We do have a password expiration limit. However our policy states that we shouldn't be able to EVER reuse a password so I am trying to see if there is a way to force that. Seems silly that SSPR lets you reuse same passwords and that there is no option in Entra to prevent that.
-
LM-5132 250 Reputation points
2025-02-21T13:25:22.96+00:00 We need to show the prevention of password reuse for CMMC compliance which is required for all DIB contractors by the DoD.
Sign in to comment -