Self-Service Account Recovery with Identity Verification in Entra ID

Microsoft has quietly rolled out a new self-service Account Recovery (Preview) experience in Microsoft Entra ID. This feature aims to simplify how users regain access to their accounts when they forget their password or when other authentication methods fail.

Although the feature isn’t fully functional yet, and official documentation is still pending, the preview already shows Microsoft’s intended direction. The goal is to provide self-service account recovery by integrating trusted third-party identity verification (IDV) to securely confirm a user’s identity using ID scans, biometrics, and other checks.

Today, users rely on multi-factor authentication methods such as push notifications, passcodes, hardware tokens, and SMS. They also depend on Self-Service Password Reset (SSPR) when they forget their password.

But what if a user loses all methods in scenarios like phone stolen, authenticator wiped, SIM changed or email used for SSPR no longer accessible? In such cases, users hit a dead end. The only fallback is the helpdesk, which must manually verify the user’s identity.

This approach has two major problems:

• Security Risk – Helpdesk verification relies on trust, which can be exploited through social engineering.
• Operational Cost – Microsoft reports that up to 50% of helpdesk volume comes from account lockouts.

To bridge these gaps, Microsoft’s new account recovery experience introduces identity verification during recovery. This allows users to securely prove their real-world identity using a trusted identity verification without relying on helpdesk intervention.

Based on the UI preview, it appears that Microsoft is integrating with third-party identity verification (IDV) providers. This process is tailored to include document proofing, biometric liveness detection, and the Entra ID Face Check technology.

For example, you may be prompted to scan your government-issued certificate and take a selfie, a process far more difficult for an attacker to spoof. The method of verification depends on the identity verification partner you choose. Once the verification is completed, Entra ID validates that the first and last name received from the identity verification provider match the user details stored in the directory.

In short, this model proves who you are, not just whether you control a device or password dramatically reducing risks of spoofing and account takeover. This enables secure self-service account recovery to deliver a frictionless user experience without creating vulnerabilities to evolving cybersecurity risks.

The new ‘Account Recovery (Preview)’ wizard is available under the Entra ID section in the Entra admin center. Let’s explore each feature associated with this self-service account recovery.

• Set up self-service account recovery
• Calculate the benefits of new account recovery
• See the new account recovery in action

Note: This feature is still being built out, and Microsoft is actively working to make the full experience available soon.

The setup wizard in ‘Account Recovery (Preview)’ introduces a structured and guided approach for configuring the new identity-verified account recovery flow. You can start by clicking the Get Started button in the ‘Set up account recovery’ tile.

Step1: Choose a Recovery Mode

The setup begins with selecting a recovery mode. You will be presented with two options.

• Evaluation mode – Allows you to test the identity verification flow without enabling real account recovery
• Production mode – Enables full recovery functionality based on identity verification providers selected in the upcoming steps.

After selecting the appropriate mode, proceed to the next step.

Step 2: Select Users and Groups

In the next step, you define the users who can participate in the new account recovery experience. The wizard allows you to include or exclude specific groups, making it easy to test the feature with a limited audience before rolling it out more broadly. You can update the group and user details at any time. Once the target groups are chosen, you can continue to the next step.

Step 3: Configure Identity Verification Providers

The wizard then prompts you to select a trusted identity verification (IDV) provider that will perform document proofing and biometric checks during account recovery. After selecting an IDV provider based on your country and the document type, you can move to the final step.

Step 4: Review and Finalize

The final screen provides a summary of your configuration, including the selected recovery mode, assigned user groups, identity verification provider status, and account validation attributes. Once everything looks correct, you can click Complete to finish the setup.

Microsoft states that account recovery issues can potentially lead to two months of lost productivity or costing an organization up to $30,000 per month. To help organizations understand the impact, the preview includes a built-in savings calculator that estimates the operational benefits of using self-service account recovery.

• Instead of simply showing numbers, this tool helps you gain insights into how much time and cost your organization could save by moving away from traditional helpdesk-driven recovery.
• By comparing current helpdesk dependency with the projected efficiency of the new recovery model, the calculator provides a clear picture of potential monthly savings and productivity improvements.

Once you’ve configured account recovery, you’ll be able to test it out in the sign-in experience. If a user cannot access any of their authentication methods, the sign-in page will guide them into the recovery flow.

1. Start the sign-in process. Select “Other ways to sign in”.
2. Select Recover your account.
3. The system prompts them for identity verification (ID scan + face check).
4. Once verified, the user is granted access to sign-in.
5. The user can then sign in and re-register their authentication methods.

After an account recovery is completed, its audit record is stored in a dedicated section within the Entra portal. Keeping recovery events separate from other audit logs makes it easy to see who initiated the recovery, the status, timestamp, and other related details. You can view this dedicated audit report under the View Audit Logs tab on the Account Recovery (Preview) page.

Closing Lines

This new account recovery with identity verification will significantly reduce helpdesk workload and lower account lockout downtime. It will also deliver a streamlined recovery process fully integrated with the Entra Verified ID ecosystem.

As the preview matures and identity verification partners become available, this will likely become one of the most impactful enhancements to Entra’s self-service capabilities. We’ll update you once the feature becomes fully operational.

What are your thoughts on this new recovery model? Will it be useful for your organization, and do you plan to adopt it? Share your thoughts in the comments and stay tuned!