Microsoft just rolled out Self-Service Account Recovery (SSAR) with Identity Verification in Entra ID. It's a clean, modern feature that fixes a real operational headache: what happens when someone loses every authentication method they have. Now they can verify identity through a trusted IDV provider, get a Temporary Access Pass, and sign in, no help desk ticket required.
It's a good feature. Actually useful.
It also solves the wrong identity failure mode.
In 2025, a locked-out user isn't what breaks companies during identity attacks. It's the slow, quiet compromise of the identity control plane itself: the policies, roles, trusts, and permissions that decide whether anything in your environment is legitimate. Microsoft left that recovery problem entirely in your hands. And attackers know it.
Two Types of "Recovery" That Aren't Even Close to the Same Thing
You've seen both. Only one truly matters.
This first is the availability problem Microsoft just fixed.
8:57 a.m. A VP is about to present to the board. Dead phone. No MFA. No backup device. Locked out.
This is the problem Self-Service Account Recovery solves. The VP verifies identity with an IDV provider, gets a Temporary Access Pass, and signs in. No ticket. No waiting. No heroics from IT. This is a legitimate improvement in user availability.
But that has nothing to do with the integrity problem that actually ends companies.
That’s an entirely different scenario where everyone can still sign in, nothing looks broken and nobody calls the help desk.
But quietly, across weeks or months:
A rogue Global Admin assignment appears
Conditional Access policies get deleted and replaced
A malicious app gains offline_access and broad consents
Audit logs start missing key events
An attacker establishes system-level persistence deep in your cloud identity
You find out about the incident when the attacker contacts you. They know you can't unwind what they changed.
Both situations get labeled "recovery." Only one threatens business survival.
Where Attacks Happen Now (and It's Not Where SSAR Helps)
CrowdStrike reported in 2024 that 75% of intrusions are identity-driven and malware-free. Modern attackers aren't trying to stop users from signing in. Outages don't help them. They're doing something smarter:
Logging in as legitimate users
Escalating privileges systematically
Modifying trust policies
Granting long-term app permissions
Reshaping the identity fabric to guarantee persistence
Attackers don't target availability. They target integrity. Self-Service Account Recovery does nothing about that. And to be fair, it was never meant to.
What Microsoft's New Feature Actually Delivers
Let’s give Microsoft credit where it's due; the new Account Recovery experience is a real step forward for user-facing scenarios because it:
Works even when all authentication methods are gone
Uses high-assurance IDV to validate identity
Issues Temporary Access Passes only after verified proofing
Reduces help desk load and social engineering risk
Modernizes the recovery experience for everyday users
That’s genuine progress on availability recovery. Just not the kind of recovery that stops breaches.
SSAR works for:
Lost phone
Missing MFA factors
SSPR failures
User onboarding/re-onboarding
Passwordless resets
But it doesn't work for anything involving an identity breach.
SSAR can't (and doesn't claim to) restore:
Deleted Conditional Access rules
Escalated or rogue admin roles
Backdoored app consents
Service principal permissions
OAuth-based persistence
Modified authentication method policies
Tampered or incomplete audit logs
Trust relationships across Entra, Azure, M365, apps, and devices
SSAR verifies the person. It does not verify or restore the directory. That's the critical boundary.
Two Identity Layers That Aren't Equal
Most organizations accidentally conflate two completely different concepts.
1. Availability: "Can the user sign in?"
Solved by: SSPR, MFA reset, passwordless recovery, TAP, and now SSAR.
2. Integrity: "Can we trust what the identity system is telling us?"
Integrity governs:
Who has admin rights
Which apps have dangerous permissions
What trust boundaries exist
Whether logs are accurate
Which Conditional Access rules apply
Whether policy changes are legitimate or malicious
Authentication failures are inconvenient. Authorization failures are existential. Microsoft solved the first. Enterprises still lack a solution for the second.
And Microsoft's own recoverability guidance makes this painfully clear:
Many Entra objects hard-delete immediately
Soft-delete only applies to a limited set of objects
Retention is short and inconsistent
Audit logs are mutable or missing at the exact moment you need them
No built-in tenant-wide point-in-time restore
No authoritative configuration baseline
"Recovery" still means scripts, exports, and best-effort reconstruction
This isn't a criticism of Microsoft, it's a reality of cloud identity architecture.
But it leads to one unavoidable truth: There is no native way to reliably undo a deep identity compromise. And every attacker knows it.
What Real Control-Plane Recovery Actually Requires
If you want identity resilience, not just identity availability, you need:
Immutable point-in-time snapshots of Entra configuration: Not CSV exports, but actual tamper-proof historical state
Complete mapping of identity dependencies: Roles, CA policies, app consents, service principals, admin units, device trusts
Off-tenant isolation: You cannot store your recovery data inside the same control plane an attacker may already control
Time-travel visibility: "What changed, when, and by whom?" must be a first-class capability—not a hope
Directed, granular rollback: Precisely revert malicious or suspicious changes without wiping legitimate business activity. This capability determines whether you survive a modern identity breach. It's completely outside what Microsoft delivered with SSAR.
Doing things in the right sequence matters. If you restore users before restoring the control plane, you're onboarding them straight back into an attacker-owned environment. Most teams get this backwards.
Step 1: Restore the Control Plane (Integrity). You cannot re-onboard users into an attacker-controlled directory.
Step 2: Reestablish User Access (Availability). Once the directory is trustworthy again, SSAR becomes a fast, safe way to help users re-register MFA and passwordless credentials.
60-Second Identity Integrity Check
Answer yes or no:
Do you have an immutable baseline of your Entra configuration from six months ago?
Can you see exactly when a Global Admin assignment changed—and reverse it?
If all Conditional Access policies vanished tonight, could you restore them accurately?
Do you have a tamper-proof history of app consent changes?
After an incident, could you confidently tell your board, "Entra ID is clean"?
If any answer is no, you don't have identity resilience. You have identity availability, which is not the same thing.
The bottom line?
Microsoft improved user recovery. Self-Service Account Recovery is a welcome enhancement. It reduces help desk strain, raises the security bar for lost-factor events, and gives users a smoother, more secure way to get back in.
But the hard recovery problem remains. The threat landscape moved on years ago. Attackers don't need users locked out to compromise you. They just need the identity system to trust them. Once they modify the trust logic itself, there's no Microsoft-native way to put it back. That's the recovery gap enterprises need to close.
Rubrik Identity Resilience delivers the missing half of the recovery equation:
Immutable, point-in-time snapshots of Entra ID policies, roles, app permissions, and directory objects
Complete mapping of identity dependencies across the control plane
Off-tenant, tamper-proof isolation for recovery data
Deep change intelligence showing exactly what changed, when, and by whom
Granular, orchestrated rollback that restores trust state without breaking the business
If SSAR restores people, Rubrik restores the platform those people rely on.
Want to see how Rubrik restores not just user access, but the entire Entra ID control plane? Explore Rubrik Identity Resilience, see how it is helping customers, and check out a demo. In today's threat landscape, access recovery is table stakes. Control-plane recovery is survival.