📝 Modified Documentation Files

MODIFIED docs/external-id/customers/how-to-enable-password-reset-customers.md

Modified by csmulligan on Feb 27, 2026 2:26 PM
📖 View on learn.microsoft.com

+55 / -20 lines changed

Commit: SMS with SSPR.

Changes:

Before

After

 
Self-service password reset (SSPR) in Microsoft Entra External ID gives customers the ability to change or reset their password, with no administrator or help desk involvement. If a customer's account is locked or they forget their password, they can follow prompts to unblock themselves and get back to work.
 
## How does the password reset process work?
 
The self-service password uses the email one-time passcode (Email OTP) authentication. When enabled, customer users who forgot their passwords use Email OTP authentication. With one-time passcode authentication, users verify their identity by entering the one-time passcode sent to their email address, and are then prompted to change their password.
 
The following screenshots show the self-service password rest flow. From the app, the customer chooses to sign-in. On the sign-in page, the user types their email and selects **Next**. If users forgot their password, they choose the **Forgot password?** option. Microsoft Entra ID sends the passcode to email address provided on the first page. The customer needs to type the passcode to continue. 
 
:::image type="content" source="media/how-to-enable-password-reset-customers/sspr-flow.png" alt-text="Screenshot that shows the self-service password rest flow.":::
 
## Prerequisites
 
- If you haven't already created your own external tenant, create one now.
- If you haven't already created a User flow, [create one](how-to-user-flow-sign-up-sign-in-customers.md) now.
 
## Enable self-service password reset for customers
 
    :::image type="content" source="media/how-to-enable-password-reset-customers/email-authentication-method.png" alt-text="Screenshot that shows how to enable email authentication.":::

 
Self-service password reset (SSPR) in Microsoft Entra External ID gives customers the ability to change or reset their password, with no administrator or help desk involvement. If a customer's account is locked or they forget their password, they can follow prompts to unblock themselves and get back to work.
 
## How the password reset process works
 
Self-service password reset (SSPR) supports two authentication methods: email one-time passcode (Email OTP) and SMS. When SSPR is enabled, users who forget their password can verify their identity using either Email OTP or SMS. With one-time passcode authentication, a passcode is sent by email or SMS. After entering the passcode, the user is prompted to create a new password.
 
The process works as follows:
 
1. From the app, the user selects **Sign in**.
1. On the sign-in page, they enter their email address and choose **Next**.
1. If the user forgot their password, they select **Forgot password?**.
1. The user is prompted to choose how to verify their identity. They can select a one-time passcode sent to their email or phone, based on the methods they registered.
1. A one-time passcode is sent to the email address they entered on the first page or to their registered phone number.
1. The user enters the passcode to continue.
1. After successfully verifying their identity, the user is prompted to create a new password.
 
## Prerequisites
 
- If you haven't already created your own external tenant, create one now.

MODIFIED docs/identity/authentication/concept-system-preferred-multifactor-authentication.md

Modified by Justinha on Feb 27, 2026 3:12 PM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: Update concept-system-preferred-multifactor-authentication.md

Changes:

Before

After

title: System-preferred multifactor authentication (MFA)
description: Learn how to use system-preferred multifactor authentication
ms.topic: concept-article
ms.date: 03/19/2025
ms.reviewer: msft-poulomi
 
# Customer intent: As an identity administrator, I want to encourage users to sign in with the most secure authentication method they registered.
 
1. [Temporary Access Pass](howto-authentication-temporary-access-pass.md)
1. [Passkey (FIDO2)](concept-authentication-passwordless.md#passkeys-fido2)
1. [External authentication methods](how-to-authentication-external-method-manage.md)
1. [Microsoft Authenticator notifications](concept-authentication-authenticator-app.md)
1. [Time-based one-time password (TOTP)](concept-authentication-oath-tokens.md)<sup>1</sup>
1. [Telephony](concept-authentication-phone-options.md)<sup>2</sup>

title: System-preferred multifactor authentication (MFA)
description: Learn how to use system-preferred multifactor authentication
ms.topic: concept-article
ms.date: 02/27/2026
ms.reviewer: msft-poulomi
 
# Customer intent: As an identity administrator, I want to encourage users to sign in with the most secure authentication method they registered.
 
1. [Temporary Access Pass](howto-authentication-temporary-access-pass.md)
1. [Passkey (FIDO2)](concept-authentication-passwordless.md#passkeys-fido2)
1. [External MFA](how-to-authentication-external-method-manage.md)
1. [Microsoft Authenticator notifications](concept-authentication-authenticator-app.md)
1. [Time-based one-time password (TOTP)](concept-authentication-oath-tokens.md)<sup>1</sup>
1. [Telephony](concept-authentication-phone-options.md)<sup>2</sup>

MODIFIED docs/external-id/customers/concept-supported-features-customers.md

Modified by csmulligan on Feb 27, 2026 2:26 PM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: SMS with SSPR.

Changes:

Before

After

| **Roles and administrators**| [Roles and administrators](~/fundamentals/how-subscriptions-associated-directory.md) are fully supported for administrative and user accounts. | Roles are supported for all users. All users in an external tenant have [default permissions](reference-user-permissions.md) unless they’re assigned an [admin role](how-to-manage-admin-accounts.md).|
| **ID Protection**    |   Provides ongoing risk detection for your Microsoft Entra tenant. It allows organizations to discover, investigate, and remediate identity-based risks.    |   Not available    |
| **ID Governance**    |   Enables organizations to govern identity and access lifecycles, and secure privileged access. [Learn more](~/id-governance/identity-governance-overview.md).    |   Not available    |
| **Self-service password reset**    |   Allow users to reset their password using up to two authentication methods (see the next row for available methods).    |   Allow users to reset their password using email with one time passcode. [Learn more](how-to-enable-password-reset-customers.md).     |  
| **Language customization**    | Customize the sign-in experience based on browser language when users authenticate into your corporate intranet or web-based applications.     |   Use languages to modify the strings displayed to your customers as part of the sign-in and sign-up process. [Learn more](concept-branding-customers.md).   |
| **Custom attributes**    |    Use directory extension attributes to store more data in the Microsoft Entra directory for user objects, groups, tenant details, and service principals.    |   Use directory extension attributes to store more data in the customer directory for user objects. Create custom user attributes and add them to your sign-up user flow. [Learn more](how-to-define-custom-attributes.md).    |
| **Pricing**    | [Monthly active users (MAU) pricing](../external-identities-pricing.md) for B2B collaboration external guests (UserType=Guest).      | [Monthly active users (MAU) pricing](../external-identities-pricing.md) for all users in the external tenant regardless of role or UserType.    |
|---------|---------|---------|---------|---------|
| [Email with password](./concept-authentication-methods-customers.md#email-and-password-sign-in) | :::image type="icon" source="../media/common/applies-to-yes.png" border="false":::  | :::image type="icon" source="../media/common/applies-to-yes.png" border="false":::  |  |  |
| [Email one-time passcode](./concept-authentication-methods-customers.md#email-with-one-time-passcode-sign-in)| :::image type="icon" source="../media/common/applies-to-yes.png" border="false":::  | :::image type="icon" source="../media/common/applies-to-yes.png" border="false":::  |:::image type="icon" source="../media/common/applies-to-yes.png" border="false":::   | :::image type="icon" source="../media/common/applies-to-yes.png" border="false":::  |
| [SMS-based authentication](./concept-multifactor-authentication-customers.md#sms-based-authentication)|  |  |  | :::image type="icon" source="../media/common/applies-to-yes.png" border="false":::  |
| [Apple federation](./how-to-apple-federation-customers.md)| :::image type="icon" source="../media/common/applies-to-yes.png" border="false":::  |:::image type="icon" source="../media/common/applies-to-yes.png" border="false":::   |  |  |
| [Facebook federation](./how-to-facebook-federation-customers.md)| :::image type="icon" source="../media/common/applies-to-yes.png" border="false":::  | :::image type="icon" source="../media/common/applies-to-yes.png" border="false":::  |  |  |
| [Google federation](./how-to-google-federation-customers.md) | :::image type="icon" source="../media/common/applies-to-yes.png" border="false":::  | :::image type="icon" source="../media/common/applies-to-yes.png" border="false":::  |  |  |

| **Roles and administrators**| [Roles and administrators](~/fundamentals/how-subscriptions-associated-directory.md) are fully supported for administrative and user accounts. | Roles are supported for all users. All users in an external tenant have [default permissions](reference-user-permissions.md) unless they’re assigned an [admin role](how-to-manage-admin-accounts.md).|
| **ID Protection**    |   Provides ongoing risk detection for your Microsoft Entra tenant. It allows organizations to discover, investigate, and remediate identity-based risks.    |   Not available    |
| **ID Governance**    |   Enables organizations to govern identity and access lifecycles, and secure privileged access. [Learn more](~/id-governance/identity-governance-overview.md).    |   Not available    |
| **Self-service password reset**    |   Allow users to reset their password using up to two authentication methods (see the next row for available methods).    |   Allow users to reset their password using email with one time passcode or SMS. [Learn more](how-to-enable-password-reset-customers.md).     | 
| **Language customization**    | Customize the sign-in experience based on browser language when users authenticate into your corporate intranet or web-based applications.     |   Use languages to modify the strings displayed to your customers as part of the sign-in and sign-up process. [Learn more](concept-branding-customers.md).   |
| **Custom attributes**    |    Use directory extension attributes to store more data in the Microsoft Entra directory for user objects, groups, tenant details, and service principals.    |   Use directory extension attributes to store more data in the customer directory for user objects. Create custom user attributes and add them to your sign-up user flow. [Learn more](how-to-define-custom-attributes.md).    |
| **Pricing**    | [Monthly active users (MAU) pricing](../external-identities-pricing.md) for B2B collaboration external guests (UserType=Guest).      | [Monthly active users (MAU) pricing](../external-identities-pricing.md) for all users in the external tenant regardless of role or UserType.    |
|---------|---------|---------|---------|---------|
| [Email with password](./concept-authentication-methods-customers.md#email-and-password-sign-in) | :::image type="icon" source="../media/common/applies-to-yes.png" border="false":::  | :::image type="icon" source="../media/common/applies-to-yes.png" border="false":::  |  |  |
| [Email one-time passcode](./concept-authentication-methods-customers.md#email-with-one-time-passcode-sign-in)| :::image type="icon" source="../media/common/applies-to-yes.png" border="false":::  | :::image type="icon" source="../media/common/applies-to-yes.png" border="false":::  |:::image type="icon" source="../media/common/applies-to-yes.png" border="false":::   | :::image type="icon" source="../media/common/applies-to-yes.png" border="false":::  |
| [SMS-based authentication](./concept-multifactor-authentication-customers.md#sms-based-authentication)|  |  |:::image type="icon" source="../media/common/applies-to-yes.png" border="false":::  | :::image type="icon" source="../media/common/applies-to-yes.png" border="false":::  |
| [Apple federation](./how-to-apple-federation-customers.md)| :::image type="icon" source="../media/common/applies-to-yes.png" border="false":::  |:::image type="icon" source="../media/common/applies-to-yes.png" border="false":::   |  |  |
| [Facebook federation](./how-to-facebook-federation-customers.md)| :::image type="icon" source="../media/common/applies-to-yes.png" border="false":::  | :::image type="icon" source="../media/common/applies-to-yes.png" border="false":::  |  |  |
| [Google federation](./how-to-google-federation-customers.md) | :::image type="icon" source="../media/common/applies-to-yes.png" border="false":::  | :::image type="icon" source="../media/common/applies-to-yes.png" border="false":::  |  |  |

MODIFIED docs/external-id/customers/concept-multifactor-authentication-customers.md

Modified by csmulligan on Feb 27, 2026 2:26 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: SMS with SSPR.

Changes:

Before

After

 
## SMS-based authentication
 
SMS is available at additional cost for second-factor verification in external tenants. Currently, SMS isn't available for first-factor authentication or self-service password reset in external tenants.
 
When SMS is enabled for MFA, users sign in with their primary method and are prompted to verify their identity with a code sent via text. They enter their phone number and receive an SMS with the verification code.

 
## SMS-based authentication
 
SMS is available at an additional cost for second-factor verification and for self-service password reset in external tenants. It isn't currently supported for first-factor authentication.
 
When SMS is enabled for MFA, users sign in with their primary method and are prompted to verify their identity with a code sent via text. They enter their phone number and receive an SMS with the verification code.

📋 Microsoft Entra Documentation Changes

📊 Summary

📝 Modified Documentation Files