Introduction
Account recovery in Microsoft Entra ID has evolved significantly with the introduction of automated identity verification. However, this feature initially presented a major gap: the absence of conditional access (CA) controls. This limitation could potentially create a backdoor for attackers, allowing them to compromise accounts by exploiting the recovery process.
Good news
Microsoft is progressively rolling out conditional access support for account recovery, according to roadmap item 529855 of the official roadmap.
The strategic importance of this update
Before the introduction of Entra ID account recovery, losing all authentication methods necessarily required technical support intervention. The new automated recovery feature allows users to regain access through in-depth identity verification with a trusted provider.
The update brings two crucial elements:
- The ability to target the specific user action
urn:user:accountrecoveryin conditional access policies - Integration of the
verifiedIDcontrol to strengthen process security
Administrator control
This evolution allows administrators to precisely define the conditions that must be met before a user can use the verified identity recovery process.
Although the exact supported conditions are not yet fully defined, administrators may potentially control:
- Geographic location: Limit recovery to certain zones
- Device compliance: Require managed devices
- Platform: Restrict by operating system
Configuring the conditional access policy
Implementing this policy remains accessible, even though full deployment is planned for May 2026. Some features are already available in the Entra administration center.
Access to the administration center
Sign in to entra.microsoft.com and navigate to Entra ID > Conditional Access.
Creation from a template
Select Create a new policy from templates in the main interface.
Search for the specialized template
Enter verified in the search bar. The Secure account recovery with identity verification (Preview) template will only appear when actively searching.
Review and create
Select the found policy and click Review + Create to finalize the configuration.
Deployment via PowerShell and Microsoft Graph
For a programmatic approach, use the Invoke-MgGraphRequest cmdlet with Microsoft Graph PowerShell:
1$body = @{2 sessionControls = $null3 conditions = @{4 userRiskLevels = @()5 signInRiskLevels = @()6 clientAppTypes = @("all")7 servicePrincipalRiskLevels = @()8 applications = @{9 includeApplications = @()10 excludeApplications = @()11 includeUserActions = @("urn:user:accountrecovery")12 includeAuthenticationContextClassReferences = @()13 applicationFilter = $null14 }15 users = @{16 includeUsers = @("All")17 excludeUsers = @()18 includeGroups = @()19 excludeGroups = @()20 excludeGuestsOrExternalUsers = @{21 guestOrExternalUserTypes = "b2bCollaborationGuest,b2bCollaborationMember,b2bDirectConnectUser,otherExternalUser,serviceProvider"22 externalTenants = @{23 "@odata.type" = "#microsoft.graph.conditionalAccessAllExternalTenants"24 membershipKind = "all"25 }26 }27 }28 }29 grantControls = @{30 operator = "AND"31 builtInControls = @("verifiedID")32 customAuthenticationFactors = @()33 authenticationStrength = $null34 }35 displayName = "Secure account recovery with identity verification (Preview)"36}37 38Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/identity/conditionalAccess/policies" -Body $bodyTechnical analysis of the policy
The configuration is based on two fundamental components that define its effectiveness:
User action targeting
The crucial element is found in the applications condition where we specify:
1"includeUserActions": ["urn:user:accountrecovery"]This directive tells Entra ID that the policy does not apply to a specific resource or context, but exclusively to the recovery action itself.
Verified identity control
The second pillar lies in the grantControls section:
1"builtInControls": ["verifiedID"]Operating principle
This configuration literally imposes: "To recover your account, you must present a verified identity." This approach ensures a high level of security.
Perspectives and recommendations
While this evolution represents significant progress, it raises questions about Microsoft's deployment strategy. Launching security features without appropriate controls is a risky practice, particularly in a business context.
Beware of hasty deployments
It is essential that organizations carefully evaluate these new features before production deployment, even when they come from established vendors.
Microsoft's responsiveness in closing this gap through conditional access nevertheless demonstrates a responsible approach to community feedback.
Official Microsoft reference links
- Official Entra ID Conditional Access Documentation
- Microsoft Graph API - Conditional Access
- Entra ID Account Recovery Documentation
- Microsoft 365 Roadmap Item 529855
- PowerShell Microsoft Graph Module
Glossary of technical terms
Conditional Access: Policy-based access control system that evaluates conditions before granting access to resources.
Entra ID: Microsoft's identity and access management service, formerly Azure Active Directory.
Verified ID: Decentralized identity verification system based on open standards allowing cryptographic identity verification.
Microsoft Graph: Microsoft's unified API allowing access to Microsoft 365, Windows 10, and Enterprise Mobility + Security data and services.
URN (Uniform Resource Name): Unique identifier used to persistently name resources, here urn:user:accountrecovery.
Conditional Access Policy: Rule configured in Entra ID defining the conditions and access controls for specific scenarios.
Grant Controls: Security mechanisms that must be satisfied before access is granted in a conditional access policy.
