Prevent Password Reuse in Entra ID/SSPR---Password Reuse Still Possible

LM-5132 165

Hello,

Our company uses Entra ID, and we do not have an on-premises Active Directory (AD). We have enabled self-service password reset for all users, requiring two forms of authentication to reset passwords.

I can reset the password using the Self-Service Password Reset (SSPR) feature with a test user's account and reuse the same password. Microsoft documentation states this should not be possible:

"In Microsoft Entra ID, the last password cannot be reused when a user changes their password. This password policy applies to all user accounts that are created and managed directly in Microsoft Entra ID, and it cannot be modified."

https://learn.microsoft.com/en-us/microsoft-365/admin/manage/set-password-expiration-policy?view=o365-worldwide

This is not true, because I can reuse the last password when changing the password via SSPR.

How can I prevent password reuse in Entra ID SSPR?

Thank you.

1 answer

BANDELA Siri Chandana 1,565 Reputation points Microsoft Vendor

2025-02-04T07:08:57.04+00:00

Hi @LM-5132
Thank you for posting your issue on Microsoft Q&A.

I understand that you are resetting the password using the Self-Service Password Reset (SSPR) feature with a test user's account and you can reuse the same password.
"By design for Microsoft Entra ID, last password can be used when for passwords reset but cannot be used for password changes".

In the document you provided also tells the same that the last password cannot be reused when a user changes their password, but last password can be used for password reset.

Hope this helps. Do let us know if you have any further queries.

If this answers your query, do click `Accept Answer` and `Yes`.

Thanks,

B. Siri Chandana.
Please sign in to rate this answer.
BANDELA Siri Chandana 1,565 Reputation points Microsoft Vendor

2025-02-05T06:18:49.4766667+00:00

Hi @LM-5132
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes, if you have any further query do let us know.

BANDELA Siri Chandana 1,565 Reputation points Microsoft Vendor

2025-02-06T05:06:15.84+00:00

Hi @LM-5132
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes, if you have any further query do let us know.

LM-5132 165 Reputation points

2025-02-18T15:12:09.1533333+00:00

This still allows me to reuse the same password when required to create a new password using SSRP.

When I click on "Forgot my password" on the Microsoft 365 login in page, the process requires me to create a new password. If I put my old password in the "create a new password" it accepts my old password as my new password.

Below is where I am able to enter my old password and it accepts it as my new password.

Thank you

LM-5132 165 Reputation points

2025-02-18T15:21:46.1533333+00:00

A password reset in SSPR, requires a new password. But I guess this is not considered a password change.

ok, Thank you

LM-5132 165 Reputation points

2025-02-18T15:35:14.3433333+00:00

I logged into myaccount.microsoft.com. I changed my password and reused the old password and it accepted it. I did not use SSPR like before. This proves that I am able to reuse my old password.

Below is where I put my old password in and it accepted it.

SrideviM 80 Reputation points Microsoft Vendor

2025-02-20T03:53:28.3166667+00:00

Hi @LM-5132

We are currently investigating this issue, and we will get back to you with our findings.

LM-5132 165 Reputation points

2025-02-20T15:55:53.4+00:00

Thank you very much.

I am assuming that password reuse is only blocked when a password expiration time is set and a user is required to reset their password every 60 or 90 days. However, NIST does not recommend password expiration anymore.

IT-S 0 Reputation points

2025-02-21T12:35:35.5633333+00:00

Any update on this? We are dealing with same issue.

LM-5132 165 Reputation points

2025-02-21T13:04:29.9733333+00:00

No update yet.

Realistically, if a user is utilizing Self-Service Password Reset (SSPR), it is likely because they have forgotten their password and will be creating a new one. Similarly, if a user is resetting their password in their Office.com profile, they are probably voluntarily changing it to something new.

I have not found any settings for password reuse in Azure or Entra ID. It must be for on-prem AD.

The National Institute of Standards and Technology (NIST) and the SANS Institute no longer recommend setting password expiration as a best practice. I am wondering if enforcement of password reuse policies is only applicable to companies that still implement password expirations via on-prem AD.

What are you experiencing? Does your company use a password expiration time limit?

IT-S 0 Reputation points

2025-02-21T13:20:53.4166667+00:00

We do have a password expiration time limit.

IT-S 0 Reputation points

2025-02-21T13:23:43.2333333+00:00

We do have a password expiration limit. However our policy states that we shouldn't be able to EVER reuse a password so I am trying to see if there is a way to force that. Seems silly that SSPR lets you reuse same passwords and that there is no option in Entra to prevent that.

LM-5132 165 Reputation points

2025-02-21T13:25:22.96+00:00

We need to show the prevention of password reuse for CMMC compliance which is required for all DIB contractors by the DoD.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Prevent Password Reuse in Entra ID/SSPR---Password Reuse Still Possible

1 answer

Your answer