Well, for Entra, this is by design and documented:
https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello,
Our company uses Entra ID, and we do not have an on-premises Active Directory (AD). We have enabled self-service password reset for all users, requiring two forms of authentication to reset passwords.
I can reset the password using the Self-Service Password Reset (SSPR) feature with a test user's account and reuse the same password. Microsoft documentation states this should not be possible:
"In Microsoft Entra ID, the last password cannot be reused when a user changes their password. This password policy applies to all user accounts that are created and managed directly in Microsoft Entra ID, and it cannot be modified."
This is not true, because I can reuse the last password when changing the password via SSPR.
How can I prevent password reuse in Entra ID SSPR?
Thank you.
Well, for Entra, this is by design and documented:
https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy
Hi @LM-5132
Thank you for posting your issue on Microsoft Q&A.
I understand that you are resetting the password using the Self-Service Password Reset (SSPR) feature with a test user's account and you can reuse the same password.
"By design for Microsoft Entra ID, last password can be used when for passwords reset but cannot be used for password changes".
In the document you provided also tells the same that the last password cannot be reused when a user changes their password, but last password can be used for password reset.
Hope this helps. Do let us know if you have any further queries.
If this answers your query, do click `Accept Answer`
and `Yes`
.
Thanks,
B. Siri Chandana.