Can the Microsoft Entra ID Self-Service Password Reset (SSPR) page be customized to provide custom real-time password validation?

Dey, Dipronil 0 Reputation points
2026-07-01T12:49:25.94+00:00

Hi Team,

We are using the built-in Microsoft Entra ID Self-Service Password Reset (SSPR) experience for our users.

We have a requirement to provide real-time password validation while the user is typing the new password, before they submit the password reset request.

Some of the validations we are looking for include:

  • Detecting sequential characters (e.g., 123, 1234, abcd, qwerty)
  • Blocking organization-specific keywords or custom banned words
  • Displaying a password strength indicator
  • Showing validation messages dynamically as the user types, instead of only after submission
  • Enforcing additional custom password rules beyond the default Microsoft Entra password policy

We understand that Microsoft Entra Password Protection supports global and custom banned password lists, but we would like to know whether the built-in SSPR UI can be extended or customized to perform these checks in real time.

Our questions are:

  1. Is it possible to customize the built-in Microsoft Entra ID SSPR page to add custom client-side (JavaScript) validation?
  2. Are there any supported extension points or APIs for adding custom runtime password validation?
  3. If this is not supported, what is Microsoft's recommended approach for organizations that require custom real-time password validation? Is building a custom password reset application using Microsoft Graph APIs the only supported option?

Any guidance or Microsoft recommendations would be appreciated.Hi Team,

We are using the built-in Microsoft Entra ID Self-Service Password Reset (SSPR) experience for our users.

We have a requirement to provide real-time password validation while the user is typing the new password, before they submit the password reset request.

Some of the validations we are looking for include:

  • Detecting sequential characters (e.g., 123, 1234, abcd, qwerty)
  • Blocking organization-specific keywords or custom banned words
  • Displaying a password strength indicator
  • Showing validation messages dynamically as the user types, instead of only after submission
  • Enforcing additional custom password rules beyond the default Microsoft Entra password policy

We understand that Microsoft Entra Password Protection supports global and custom banned password lists, but we would like to know whether the built-in SSPR UI can be extended or customized to perform these checks in real time.

Our questions are:

  1. Is it possible to customize the built-in Microsoft Entra ID SSPR page to add custom client-side (JavaScript) validation?
  2. Are there any supported extension points or APIs for adding custom runtime password validation?
  3. If this is not supported, what is Microsoft's recommended approach for organizations that require custom real-time password validation? Is building a custom password reset application using Microsoft Graph APIs the only supported option?

Any guidance or Microsoft recommendations would be appreciated.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments

1 answer

Sort by: Most helpful
  1. Jerald Felix 15,370 Reputation points Volunteer Moderator
    2026-07-01T15:31:41.2466667+00:00

    Hello Dipronil,

    Greetings! Thanks for raising this question in the Q&A forum.

    The short answer is that the built-in Microsoft Entra ID SSPR page is a Microsoft-hosted, non-customizable UI. There is no supported way to inject custom JavaScript, add real-time client-side validation, or extend it with your own logic. Customization of that page is limited strictly to company branding elements (logo, background image, banner text, footer links). The password strength indicator and policy checks you see are evaluated server-side only after the user submits the new password, and this behavior cannot be changed.

    Here is how this maps to your three questions.

    1. Can you add custom client-side JavaScript to the built-in SSPR page? No. The SSPR page is served entirely by Microsoft and does not expose a way to inject scripts, CSS, or DOM hooks. Customization is limited to what is available under Entra admin center > Identity > Company Branding, which covers logos, background images, banner text, and the Contact your administrator link.

    2. Are there supported extension points or APIs for real-time validation on the built-in page? No. There are no documented extension points, webhooks, or client-side APIs for the SSPR experience itself. What you can control is the actual password policy enforcement, using these existing mechanisms:

    1. Global banned password list — automatically blocks common weak passwords and their variants (this is on by default and not configurable in content).
    2. Custom banned password list — lets you add organization-specific words (company name, product names, local slang) under Entra admin center > Protection > Authentication methods > Password protection.
    3. Complexity and length policy — standard Entra password policy (length, character classes) is enforced automatically on every SSPR submission.

    None of these provide real-time as-you-type feedback though. They only validate at submission time.

    3. What is Microsoft's recommended approach for real-time custom validation? Building your own password change experience is the only supported path if you need as-you-type validation, a strength meter, or custom rule messaging. There are two ways to do this depending on whether you need reset (forgotten password) or change (known password) semantics:

    1. Custom password change flow — use the Microsoft Graph PATCH /me/changePassword endpoint. This works when the signed-in user knows their current password, and lets you build any front-end validation logic (sequential character detection, custom banned words, strength meter) before calling Graph. Example call:
    PATCH https://graph.microsoft.com/v1.0/me/changePassword
    Content-Type: application/json
    
    {
      "currentPassword": "{current}",
      "newPassword": "{new}"
    }
    
    1. Custom password reset flow (forgotten password) — there is no public Microsoft Graph API that replicates the full SSPR reset experience (identity verification via registered methods, OTP, etc.) for a non-admin, unauthenticated user. If you need a fully custom reset flow, the supported pattern is to build the identity verification steps yourself (for example using Entra External ID custom policies, or your own MFA/OTP verification), then complete the reset using an app with the Password Administrator or User Administrator role calling PATCH /users/{id} with a passwordProfile object. This requires careful scoping since it is an admin-level operation, not a true self-service one.

    Whichever path you choose, keep your custom banned word list and complexity policy configured in Entra ID regardless, since Microsoft still enforces those centrally even if your custom UI adds its own pre-checks. This way your real-time client-side checks and the platform's server-side enforcement stay aligned.

    If this answer helps you kindly accept the answer which will help others who have similar questions.

    Best Regards,

    Jerald Felix.

    Was this answer helpful?

    0 comments No comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.