arrow
Search icon

How long are the email and SMS one-time passcodes valid?

The session lifetime for password reset is 15 minutes. From the start of the password reset operation, the user has 15 minutes to reset their password. The email and SMS one-time passcode are valid for 5 minutes during the password reset session.

Authenticator app?

Taken from Self-service password reset FAQ - Azure Active Directory | Microsoft Docs

How many times can I reset/change my password in a short period of time?

There are security features built into password reset to protect it from misuse.

Users can try only five password reset attempts within a 24 hour period before they're locked out for 24 hours.

Users can try to validate a phone number or send a SMS, only five times within an hour before they're locked out for 24 hours.

Users can send an email a maximum of 10 times within a 10 minute period before they're locked out for 24 hours.

The counters are reset once a user resets their password.

Taken from here - Self-service password reset FAQ - Azure Active Directory | Microsoft Docs