Microsoft Entra Adds SMS Verification for Secure Password Reset Flows

Microsoft just dropped the public preview for SMS-based authentication in their password reset flows for Entra External ID. The rollout's happening across all production tenants through October 2025.

Key Features

SMS Authentication for Password Reset

Now you can use SMS to verify users during password resets and forgot password flows. Before this, you were stuck with email one-time codes. SMS gives users another option, which they'll probably appreciate.

Enhanced Security

If someone has registered multiple password reset methods, they now need to verify themselves using at least two different ones. This means even if a bad actor gets your email, they can't reset your password without the second factor.

Fraud Protection

They've baked in the Phone Reputation platform to watch for sketchy phone activity. When someone tries to verify via SMS, the system flags it in real-time and sends back one of three verdicts: Allow, Block, or Challenge. This catches a lot of the telephony-based attacks before they cause damage.

Flexible Pricing

It's sold as an add-on with per-region pricing. You pay per SMS sent, and the cost includes the fraud protection service. Rates vary by location—worth checking the pricing page to see what it'll run in your region.

Benefits

• Users get an extra option for verification instead of being locked into email codes alone.

• The multi-factor requirement makes it significantly harder to compromise an account—you'd need to compromise two different methods.

• The real-time analysis stops a lot of phishing and SIM-swap attacks before they land.

• If compliance is on your radar, this helps with MFA requirements in most regulatory frameworks.

Availability

Right now it's in public preview, so you can start testing it. The general rollout to all External ID tenants wraps up by the end of October 2025.