How I Recovered My Entra ID Account Using My Bahrain CPR: A Complete Guide to Entra Account Recovery (Preview)

In modern digital workplaces, employees rely on multiple authentication methods, Authenticator apps, passkeys, biometrics, hardware keys, SMS/voice, and more to seamlessly access organizational resources. But what happens when all those authentication methods are lost?

A stolen phone, misplaced hardware token, or accidental device wipe can leave users unable to sign in. Even worse, passwordless users, who rely purely on secure, phishing-resistant authentication ,have no fallback to recover access on their own. Until now, IT helpdesks had to step in, verify identity manually, and issue new credentials. This process is slow, expensive, and vulnerable to social engineering attacks.

Microsoft Entra Account Recovery (Preview) changes this model entirely.

Instead of depending on remaining authentication methods, Entra Account Recovery re-establishes trust in the user’s identity through secure, high-assurance identity verification using Verified ID, Face Check, and trusted Identity Verification Providers (IDVs).

This preview capability introduces a powerful, end-to-end, self-service recovery flow that enables users to recover their accounts even when they have lost all authentication methods without relying on human helpdesk intervention.

Why Account Recovery Matters

Traditional self-service password reset (SSPR) assumes that the user still has access to at least one authentication factor. For scenarios where every method is lost or compromised, SSPR simply doesn’t work.

Account Recovery is designed for:

• Total authentication loss (lost/stolen phone, no backup codes, hardware keys unavailable)
• Passwordless accounts that rely solely on strong authentication
• Security incidents where all authentication methods must be reset
• Remote/hybrid users who cannot visit IT physically for identity verification

Instead of verifying what you know or what you have, Account Recovery verifies who you are.

How Account Recovery Differs From SSPR

Aspect	Self-Service Password Reset (SSPR)	Account Recovery
Primary use case	User forgot password but still has access to one or more authentication methods.	User has lost access to all authentication methods (total lockout scenario).
Authentication requirement	Requires at least one pre-registered authentication method (policy can require one or two methods).	Requires successful identity verification via a certified Identity Verification Provider (IDV).
Trust assumption	User identity is trusted based on existing registered methods.	User identity must be re-established from scratch through high-assurance identity proofing.
Recovery scope	Resets or changes the user’s password.	Provides temporary access and enables complete re-enrollment of authentication methods.
Technology dependency	Depends on existing authentication methods and SSPR configurations.	Depends on identity verification services, Microsoft Entra Verified ID, and Face Check.
Security level	Medium – relies on previously registered factors and configurations.	High – based on government ID, biometrics, and strong identity verification from trusted providers.

Business Benefits

Reduce Helpdesk Load

Full lockouts create high-severity tickets that require manual identity validation. Account Recovery replaces this with automated, verifiable identity proofing.

Improve User Productivity

Users recover access in minutes instead of hours or days, crucial for executives and remote workers.

Strengthen Security and Reduce Human Risk

Social engineering attacks targeting helpdesks are eliminated because identity proofing happens through secure, AI-backed providers, not human judgment.

Scales Across Global Organizations

Supports remote teams across 190+ countries using government-issued IDs.

How Account Recovery Works (End-to-End Workflow)

The recovery flow activates at sign-in when the user selects “I can’t access my account.”

Step 1 Begin Recovery

• User enters their username/email
• Entra checks if the user is eligible (based on policies and licensing)
• User is redirected to the tenant-selected IDV (based on geography)

Step 2 Identity Verification Through an IDV

The provider completes high-assurance identity verification: 

• Document scanning (passport, driver’s license, national ID)
• Fraud detection (tamper check, hologram validation) 
• Face Check (liveness + match with ID document photo) 

 If successful: 

•  A Verifiable Credential (Verified ID) is issued 
•  Stored in Microsoft Authenticator

Step 3 Verified ID Presentation

• User presents their Verified ID credential back to Entra
• Entra validates cryptographic integrity
• Matches verified attributes (e.g., First Name, Last Name) 
• If attributes don’t match exactly → Recovery fails (helpdesk fallback)

Step 4 Access Restoration

Once identity is confirmed:

• Entra issues a Temporary Access Pass (TAP)
• User re-registers MFA/Passwordless methods
• Full access is restored

This ensures the recovery process is secure, repeatable, and auditable.

Prerequisites

 You need: 

• Microsoft Entra ID P1 license
• Face Check license (Entra Suite or standalone)
• Verified ID enabled + Face Check configured
• Authentication Administrator role in the tenant
• Azure Subscription with Owner/Contributor role 
• Subscription to an IDV provider through Microsoft Security Store 

 Preview limitations: 

•  First Name + Last Name must match exactly 
•  Users with identical names are blocked (for now) 
•  Ideal for testing with small groups before full rollout

Cost & Adoption Considerations

Microsoft estimates that 1–3% of users per month require account recovery.

You can use the Integrated Cost Savings Calculator in the Entra admin center to compare:

• Current helpdesk-based recovery cost

vs.

• Automated self-service account recovery cost

This helps organizations plan adoption and budgeting effectively.

Below is the sample estimate for a 100 users environment.

How to Enable Account Recovery (Preview)

Sign in to the Entra Admin Center

Go to: Identity → Account Recovery (Preview)

Choose Setup Mode

Select Evaluation if you wanted evaluate the feature (recommended for testing)

Evaluation mode allows users to experience the identity verification process, but it does not perform actual account recovery

I am going to select Production for actual account recovery process.

Next Choose the user groups allowed to enable the feature.

Next Select an Identity Verification Provider

At the moment, Entra supports three IDV providers: TrueCredential, AU10TIX, and IDEMIA. Because AU10TIX provides a one-month free trial, I opted to use it and activated the SaaS offer through the Microsoft Security Store. You’ll need an active Azure subscription and a resource group to provision the IDV service before completing the setup steps.

Choose an IDV from the Microsoft Security Store

Subscribe to its SaaS offering 

Choose the Billing plan, in our case Free Trial

Provide billing subscription, resource group, Resource Name. 

Now choose Billing Term and Number of users

Next Review the Plan details and Place order

it will take few minutes to complete the order processing 

Once the Order is successful you will see the SaaS Subscription is ready notification  page. Next, you’ll need to complete the setup on the IDV provider’s page. Click Configure Account Now, which will redirect you to the provider’s portal

Verify the details and Complete activation in the provider’s portal

Once activation is successful, you’ll be shown a confirmation or “Thank You” page. The exact message may vary depending on the IDV provider.

My Solution Page will shows the status of the IDV

Azure SaaS Solution deployment status will also show as successful

Now lets Return to Account Recovery configuration, Select the IDV provider which we activated. Click Next

Now Review and save configuration Once completed, users in scope can recover their account using Entra Verified ID

Now return to the Account Recovery page. You’ll notice that the recovery status is shown as Production mode, and the IDV status appears as Subscribed.

Entra Account Recovery Testing

Now let’s test the account recovery process. For the verification to succeed, the user’s First name, Last name, in Entra ID must match the details on the government-issued ID used during identity verification.

In my case, my full name is Sreejith Reghunathan Pillai.

First name: Sreejith Reghunathan

Last name: Pillai

Based on this format, I updated my user profile in Entra ID to ensure it aligns with the information on my official ID.

I already have Entra Verified ID with Face Check enabled in my tenant. If you need guidance on setting up Verified ID and Face Check, you can refer to my earlier blog post here: Getting Started with Microsoft Entra Verified ID for Secure Identity Management

Now let’s test the account recovery process for my user account. Before proceeding, keep the following points in mind:

1. Account Recovery is intended for actively used accounts that have recent authentication activity.
2. After enabling or updating the recovery scope, the user may need to sign in at least once before the recovery option becomes available. If you're testing with a new or rarely used account, make sure the user completes a normal authentication first.

If you still don’t see the “Recover your account” option during sign-in, verify that the user is included in the group you selected in the Account Recovery profile. Only users who are part of that group will be offered the recovery flow.

To begin testing, the user can visit https://login.microsoftonline.com
or start by signing in to any Microsoft application such as Outlook or OneDrive. Enter the username, and when prompted for an authentication method, select “Sign in another way.”

If all prerequisites are met, active account, proper group membership, and correct configuration, the “Recover your account” option will appear on the next screen.

After selecting Recover your account, you’ll be taken to the Let’s recover your account page. Here, you’ll be asked to confirm that you want to proceed to the IDV provider to verify your identity using a government-issued document such as a driver’s license or passport. Click Next to begin the verification process.

Now you’ll be redirected to the Identity Verification Provider (IDV) that you integrated with your Entra ID tenant. Click on Lets Begin to start the verification process

Once the process begins, the IDV provider will prompt you to get your official identification document ready, such as a passport or driver’s license, for verification. When you are prepared, click Start to continue.

You will also have the option to switch the verification flow to your mobile device, which makes it much easier to scan your ID and capture your selfie. In my case, I initiated the recovery on my laptop and then moved to my phone for a smoother ID scanning and Face Check experience.

After scanning the QR code, the process will continue in your mobile browser. Accept the terms and conditions and grant camera access to the IDV webpage to proceed.

Once you press I agree, you’ll be asked to scan your ID document. Tap Continue to start.

You will be prompted to capture both the front and back sides of your ID.

Once both the front and back of the ID are successfully captured, the IDV provider will display a confirmation page showing the ID issuing country’s logo. Click Continue to proceed to the selfie verification step. If the images appear blurry or unclear, you can retake the photos before moving forward.

Now, let’s proceed with the selfie verification.

It’s important to note that Face Check’s accuracy can be affected by lighting and background conditions. If the verification fails, administrators can review the event logs to see the confidence score produced by Face Check. For best results, users should capture their selfie in a dimmer environment, avoiding bright windows or direct lighting.

Face Check also includes an active mode that helps improve accuracy in very bright environments by using posture cues to validate the user.

During account recovery, the photo embedded in the user’s Verified ID is compared against the real-time Face Check capture. If the Verified ID photo is blurry or low quality, it may affect the matching process, although this is uncommon since the photo comes directly from the identity verification provider and government documents. Users can review the photo stored in their Microsoft Authenticator wallet to ensure it is clear enough for accurate comparison.

Once the selfie verification is successful, the IDV will take a few seconds to cross-check the selfie against the submitted ID document to confirm that they match.

After the verification is successful, you’ll see a confirmation message prompting you to save your Verified ID to your Microsoft Authenticator wallet.

When you select Open Authenticator, the Verified ID will be added to your Microsoft Authenticator wallet. You’ll then be prompted to complete a Face Check to continue with the account recovery process.

Press Next and continue with face check

Once the Face Check is successfully completed and matches the Verified ID issued by the IDV provider, you can proceed by sharing the Verified ID with Entra. Click Share to continue with the account recovery process.

Once the Verified ID issued by the IDV provider is accepted by Microsoft Entra, the system validates the account by comparing the verified claims, such as first and last name, against the user attributes stored in Entra ID. If the information matches correctly, Entra will issue a Temporary Access Pass (TAP), allowing the user to regain access and re-register their authentication methods.

If the account ownership cannot be confirmed, an error may appear. This is often caused by mismatches between the user’s profile details in Entra ID and the information on the government ID. For example, differences like “Sreejith” vs. “Sreejith Pillai,” variations in surname formats, or multi-part last names can lead to verification failures. During the preview phase, administrators can resolve these issues by updating the user’s profile to match the verified ID.

Another possible cause of failure is incorrect Temporary Access Pass configuration. Ensure that the group assigned for account recovery is also enabled for the Temporary Access Pass method in the Authentication Methods policy.

Now, let’s sign in using the Temporary Access Pass (TAP) and complete the setup of our authentication methods to fully regain access to the account.

After signing in, you will be prompted to set up your authentication methods.

We have now successfully recovered the account and completed the setup of our new authentication methods.

Final Thoughts

Microsoft Entra Account Recovery (Preview) delivers a major step forward in secure, user-driven identity recovery. As organizations embrace passwordless authentication, this capability fills a critical gap ensuring that even users who lose all their authentication methods can safely and confidently regain access.

By combining Verified ID, biometric checks, AI-powered fraud detection, and global IDV partners, Entra provides a resilient, modern alternative to traditional helpdesk-based identity proofing.

This is more than just a recovery tool, it is the future of secure digital identity lifecycle management.