Added multi-factor authentication (MFA) requirement for self-service operations for supported authentication methods.
Why it matters: Upcoming change
What to do: By January 26, 2026: Starting January 26, 2026, users who manage their own authentication methods through self-service operations, such as adding, updating, or deleting phone numbers and email addr…
Added multi-factor authentication (MFA) requirement for self-service operations for supported authentication methods. Starting January 26, 2026, users who manage their own authentication methods through self-service operations, such as adding, updating, or deleting phone numbers and email addresses, must complete multifactor authentication (MFA) if they last authenticated more than 10 minutes ago in the current session. For more guidance on handling this change in your application, see Microsoft Entra authentication methods API overview .
Affected: Microsoft Graph, Identity and access