SQ Retirement for SSPR - Problem for schools

Question

I received the notice today that Security Questions will no longer be accepted for SSPR in March 2027. I understand that they aren't as secure as some other authentication methods, but this does create a problem for my organization. I work in the IT department at a school (grades 6-12). The students use Security Questions as their MFA method and for resetting their own passwords. Retiring SQs means the students will no longer have a way of resetting their own passwords. Not all of our students have cellphones, and those that do are not allowed to have them during the school day (or at all if their parents ground them and take them away), which means they cannot use SMS, Voice, or Microsoft Authenticator for MFA. Purchasing hardware tokens for all the students (roughly 850) is not in our budget, and the students would lose them or forget them. The students don't have access to personal emails while at school (unless their personal email is through Outlook), and not all of the students even have personal emails (it depends on whether their parents allow them to or not). The verification with government ID option also wouldn't work since a majority of our students don't have government IDs.

After this change takes effect, the only way the students would be able to reset their passwords is by contacting the school IT department. That means if they get locked out or forget their password in the evenings, on weekends, or when school is closed they won't be able to get back in. They would then get behind on their schoolwork, miss important emails from teachers or colleges, etc.

Has Microsoft considered how this change will affect K12 schools? What other options are available for us so that our students don't fall behind due to something as trivial as a forgotten password?

Answer 1

Hello Griffin, Kaitlyn,

This concern is valid, and many K‑12 organizations are facing the same challenge as Security Questions are being retired for SSPR starting March 2027. Microsoft is removing Security Questions tenant‑wide because they do not meet current security standards and are a common source of account compromise. Unfortunately, there will be no like‑for‑like replacement or education‑only exception for this feature.

For student scenarios where phones, personal email, government ID, or hardware tokens are not feasible, Microsoft’s recommended approach is to move from fully self‑service resets to a managed recovery model.

The primary supported alternative is Temporary Access Pass (TAP). TAP allows school IT or authorized staff to issue a time‑limited passcode that students can use to sign in and reset their password from any location, including after school hours, without needing a phone or secondary device. This is currently the best‑fit solution for middle and high school students who cannot register standard MFA methods.

In addition, schools are encouraged to:

• Delegate limited password reset or TAP issuance permissions to trusted staff (teachers, counselors, front office) to avoid bottlenecks at central IT.
• Review password expiration and lockout policies to reduce how often students require resets.
• Communicate the change early to parents and students so expectations are clear.

At this time, fully self‑service password reset without a strong verification method is no longer supported by design. While this is a shift from how SSPR worked previously with Security Questions, it aligns with Microsoft’s broader effort to reduce account takeover risk in education environments.

More details:

• Temporary Access Pass: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-temporary-access-pass
• SSPR authentication methods: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-howitworks