SMS SSPR in Microsoft Entra External ID: Public Preview with Phone Reputation

  • Thread Author
Microsoft has begun rolling out SMS-based self-service password reset for Microsoft Entra External ID, adding a phone-based recovery option to the External ID SSPR flow while pairing the capability with built-in telecom fraud protections and per-message billing for SMS verification attempts.

Background​

Microsoft Entra External ID is the cloud identity product aimed at managing and authenticating external users — customers, partners, contractors — across applications and services. Historically, Entra External ID supported email one-time passcodes (Email OTP) for self-service password reset (SSPR) and a range of social and federated sign-in options; SMS-based verification for password recovery was not available until this announcement. The change brings parity with common consumer flows where SMS codes are an available option for account recovery.
This release is being introduced as a public preview rolling out to tenants in production, with Microsoft stating the change is actively rolling out and expected to be present in tenants by the end of the month. Microsoft documents emphasize the SMS capability is an add‑on feature with tiered per‑message pricing by country and includes fraud protection as part of the SMS transaction cost.

What Microsoft announced — the essentials​

  • Public preview of SMS for SSPR in Entra External ID. End users can now verify identity using SMS in the “forgot password” or SSPR flow instead of being limited to Email OTP.
  • Multi-method verification requirement. If a user has registered two or more methods, the SSPR flow will require verification with at least two methods, effectively enforcing multi-factor checks during recovery.
  • Built-in telephony fraud protection via the Phone Reputation platform. Each telephony transaction is evaluated in real time and is assigned an Allow, Block, or Challenge decision to reduce the risk of fraud and abuse.
  • Per-message SMS billing as an add-on. SMS verification is billed via separate meters based on the originating country for each transaction; Microsoft lists SMS pricing tiers and calls SMS an add-on feature for External ID.
These items form the operational core of the announcement and define what administrators should expect when enabling the new SMS SSPR capability.

Why this matters: practical implications for IT administrators​

Easier recovery for external users​

External user populations are often large, diverse, and outside an organization’s administrative domain. SMS-based recovery can reduce friction for many users who may not have easy access to alternate email accounts or authenticator apps registered to a tenant. By adding SMS as a method, administrators can lower help‑desk volume for password resets and reduce account‑lockout related disruptions.

Security posture and multi-factor verification​

Microsoft’s SSPR flow in External ID now requires that users with two or more registered methods verify using two methods during reset. This reduces single‑factor recovery scenarios (e.g., a single email OTP) and raises the bar against simple account takeover attempts. At the same time, Microsoft’s Phone Reputation platform evaluates telephony signals in real time and returns an Allow/Block/Challenge decision, providing an on‑the‑fly risk assessment for each SMS transaction.

Cost and billing considerations​

SMS is not free: the SMS add‑on uses country‑based meters and charges per verification attempt. Organizations that manage large customer populations will need to account for per‑message costs and consider how to budget, bulk‑purchase, or limit usage. Microsoft’s External ID pricing pages and documentation explicitly call out the per‑message meters and regional pricing tiers, and the Entra External ID Basic tier remains free up to the first 50,000 monthly active users (MAU) — but SMS adds incremental per‑use costs.

How SMS-based SSPR works (technical overview)​

The user journey​

  • A customer visits the application sign-in and selects Forgot password.
  • The user provides their email address (or user identifier) and chooses SMS as the verification method if configured.
  • Microsoft sends a one-time code to the user’s registered phone number.
  • If the user has two or more registered methods, the flow requires validation of at least two factors (e.g., SMS + email OTP or SMS + authenticator).
  • The Phone Reputation platform evaluates the SMS transaction in real time and returns a risk decision; the flow proceeds or is challenged/blocked based on that decision.
  • After successful verification, the user is prompted to set a new password and is optionally notified of the reset event.

Fraud protection: Phone Reputation and transaction-level decisions​

Microsoft integrates telephony risk signals into the SMS flow. Each SMS transaction is analyzed by the Phone Reputation platform, which uses heuristics, carrier signals, and machine learning to detect suspicious telephony activity such as high‑volume automated requests, premium‑rate number patterns, or rapid repeated attempts. The platform responds with one of three outcomes for a transaction:
  • Allow — transaction proceeds.
  • Challenge — additional verification or rate limiting is applied.
  • Block — transaction is denied to prevent abuse.
These real‑time decisions are intended to mitigate threats such as International Revenue Share Fraud (IRSF), high‑volume automated abuse, and other telephony‑based attack vectors. Microsoft documentation explains these protections and the kinds of telemetry used to determine reputation.

Rollout, licensing and pricing details​

  • Microsoft has published the SMS SSPR feature as public preview and indicated a tenant rollout timeline (production roll‑out by the end of the announced month). Administrators should check their own tenant for availability in the Microsoft Entra admin center.
  • Billing: SMS verification is an add‑on billed per transaction, with meters applied by country/region. Microsoft’s pricing pages and authentication method documentation list the regional tiering and caution that SMS depends on a linked subscription. Organizations must plan for per‑message costs and how that impacts large user bases.
  • Free MAU allowance: Microsoft Entra External ID offers a Basic tier with up to 50,000 MAU at no cost; however, SMS add‑ons incur separate charges regardless of MAU tier, so free MAU does not exempt SMS costs.
Administrators should review the “SMS pricing tiers by country/region” documentation and their own expected transaction volume to estimate monthly costs.

Strengths: what this change gets right​

  • Better user experience for external users. Many consumers expect SMS as a recovery channel; offering it reduces friction and aligns with user expectations.
  • Stronger recovery flows for multi‑method users. The enforced requirement for two methods when multiple are registered reduces the single-point-of-failure risk in password recovery flows.
  • Real‑time fraud mitigation built in. Phone Reputation platform integration means phone‑based recovery is not simply “SMS in the clear” — Microsoft is evaluating risk signals and can block or challenge suspicious requests in real time, which is a meaningful protection against telephony fraud and IRSF-style abuses.
  • Administrators gain choice and control. SMS can be enabled or scoped to specific user flows and tenants, allowing targeted pilot deployment and gradual rollout without changing existing email OTP flows immediately.

Risks and blind spots: what administrators must watch for​

SMS is a weaker authentication factor than phishing‑resistant options​

Authoritative cybersecurity guidance ranks SMS-based OTPs below stronger forms of MFA. Government and industry guidance — including NIST and CISA — cite SIM swap, interception, and social engineering as active threats to SMS-based codes and recommend prioritizing phishing‑resistant or app-based authenticators where possible. SMS can be part of a defense-in-depth model but should not be the only recovery control for high‑value accounts.

Telephony reputation blocking can produce false positives​

Community and Microsoft Q&A threads dating back to earlier Azure B2C and External ID experiences show that phone reputation heuristics can sometimes block legitimate phone numbers — producing messages like “Phone number has bad reputation, blocking.” Administrators should plan to monitor logs and provide fallback options for blocked users to avoid lockouts and poor customer experience. Microsoft guidance and community discussions highlight this behavior and recommend alternative verification methods where appropriate.

Cost exposure for high-volume customer populations​

Because SMS is billed per verification attempt and uses country-based meters, a customer base that triggers frequent SSPR events (or a malicious actor attempting to force repeated resets) can generate unexpected costs. Organizations should budget carefully, set sensible rate limits and throttles, and consider measures to reduce unnecessary SMS triggers (e.g., requiring other factors first, limiting who can use SMS).

Dependency on global telecom ecosystems​

SMS reliability varies by country, carrier, and number type (mobile vs. VoIP). Coverage gaps, latency, or carrier filtering can produce poor user experiences. Administrators should pilot in representative geographies to detect delivery or reputation issues before broad production rollout. Microsoft’s documentation calls out regional opt‑in considerations and throttles for new tenants as part of anti‑abuse safeguards.

Recommended rollout and operational checklist for administrators​

Pre‑deployment: plan and pilot​

  • Inventory external user types and volumes. Map where SMS would be helpful and estimate monthly SMS transaction volume by country.
  • Review pricing tiers and estimate costs. Use Microsoft’s SMS pricing documentation and External ID pricing pages to model monthly spend. Consider caps or alerts in billing to avoid surprises.
  • Pilot with a small group. Test the end-to-end SSPR flow including Phone Reputation decisions in representative regions. Confirm code delivery times and behavior for edge cases (roaming numbers, VoIP numbers).
  • Confirm fallback options. Ensure Email OTP or authenticator‑app flows remain available and communicate fallback steps if a phone transaction is blocked.

Configuration and operations​

  • Enable SSPR for targeted user flows via the Microsoft Entra admin center and External ID user flows. Use scoped targeting if possible to limit initial exposure.
  • Require multi-method verification when users have multiple registered methods — this is built into the updated policy and should be enabled for higher assurance.
  • Monitor phone reputation and audit logs for blocked or challenged transactions and maintain a helpdesk playbook for those cases. Microsoft logs and tenant audit trails will show telephony-related decisions.
  • Set alerts for anomalous SSPR volumes to detect abuse or runaway costs.
  • Communicate to end users how verification choices work and what to do if their number is blocked — include guidance in sign-up flows and on help pages.

Security hardening​

  • Prefer phishing‑resistant methods for privileged accounts. Reserve SMS for lower‑risk external accounts and require FIDO/WebAuthn or authenticator app methods for administrators and sensitive roles. This aligns with CISA’s MFA guidance that ranks methods and recommends moving to phishing‑resistant options where feasible.
  • Use number validation controls. Require users to confirm ownership of numbers during registration and apply controls to prevent changing the phone number without additional verification.
  • Plan for SIM swap prevention. Educate users about SIM swap risks and adopt monitoring for suspicious phone number changes or rapid re‑registrations.

Troubleshooting and known issues​

  • Phone reputation can block valid numbers. Community threads and Microsoft Q&A show legitimate users sometimes encounter “bad reputation” blocks. If you see this, escalate to Microsoft support and provide audit logs to help diagnose whether carrier or reputation heuristics are involved. Have alternative verification paths (email OTP, authenticator app) ready.
  • New tenants may see throttling. Microsoft applies extra safeguards to newly created tenants to reduce abuse; these throttles can affect SMS delivery during the tenant ramp‑up period. Plan pilots accordingly.
  • Delivery differences by region and number type. Test domestic mobile, international roaming, and VoIP/landline behaviors; some number types may be more likely to get flagged or not support SMS reliably.

Critical analysis: balancing convenience, cost and security​

Microsoft’s introduction of SMS-based SSPR for Entra External ID acknowledges a simple reality: many external users expect SMS as a recovery channel, and administrators want to reduce help‑desk friction. The value is clear — lower support costs, a friendlier UX for external customers, and a quicker path back into services. Microsoft’s decision to integrate the Phone Reputation platform is an important risk mitigation step that elevates SMS from a purely convenience mechanism into a risk‑aware service.
However, caution is warranted. SMS remains a comparatively weak authentication/out‑of‑band channel relative to app‑based authenticators and hardware-based phishing‑resistant methods. National agencies and standards bodies recommend prioritizing more resilient methods for high‑value accounts. Administrators should therefore treat SMS SSPR as one tool in a layered recovery program — good for broad coverage and user convenience but not a substitute for stronger, phishing‑resistant options where the security posture demands them.
Cost is the second axis of concern. Per‑message billing quickly becomes material at scale. Microsoft’s grouping of countries into pricing tiers helps estimate spend, but organizations must actively monitor usage and consider rate controls, caps, and fallback policies to avoid runaway bills.
Finally, reputational filtering and anti‑abuse heuristics are necessary but produce operational overhead. Past community experience shows that phone reputation heuristics can generate false positives, and when they do, they create friction and help‑desk calls — the very problem SMS was intended to solve. Administrators will need to maintain a balance between strict telephony controls and user experience.

Checklist for production readiness (quick reference)​

  • Confirm feature availability in tenant (Entra admin center).
  • Model expected monthly SMS transactions and map to Microsoft’s pricing tiers.
  • Pilot with a representative user group across target geographies.
  • Ensure Email OTP and authenticator‑app fallbacks are enabled.
  • Harden recovery policies for privileged or high‑risk accounts (prefer FIDO/WebAuthn).
  • Configure logging and alerts for SSPR, phone reputation blocks, and unexpected volume.
  • Prepare helpdesk runbooks for blocked phone numbers and SIM swap incidents.
  • Communicate to users how to register and protect phone numbers and what to do if SMS is blocked.

Conclusion​

The arrival of SMS-based self‑service password reset in Microsoft Entra External ID is a pragmatic addition: it lowers friction for many external users, provides administrators with more flexible recovery options, and includes layered telephony fraud protection through Microsoft’s Phone Reputation platform. For many organizations, the feature will reduce help‑desk overhead and improve customer experience.
At the same time, SMS is not a panacea. It carries known security weaknesses, ongoing cost implications, and operational complexity introduced by telephony reputation systems. The most resilient approach is a measured rollout: pilot the feature, budget for SMS usage, enforce multi-method verification where possible, preserve stronger authenticators for sensitive accounts, and prepare exceptional handling for phone reputation blocks. When used thoughtfully, SMS SSPR can be a valuable component of a comprehensive and practical external identity recovery strategy.
Source: Petri IT Knowledgebase Microsoft Entra External ID Adds SMS Password Reset for Easier Recovery
 
Click to expand...
You must log in or register to reply here.

Similar threads

  • Featured
  • Article Article
Microsoft Entra External ID Adds OpenID Connect Support for Seamless External Identity Federation
Replies
0
Views
369
ChatGPT