The release of the Portal for ArcGIS Security 2026 Update 2 Patch removes the ability for end users to reset passwords using a security question for built-in Portal accounts, which essentially makes security questions meaningless.
Since security questions are meaningless now, why does Portal still require us to specify a security question/answer for new users when they log in for the first time? There's no point in asking for it anymore, right?
Furthermore, the guidance provided on the security question/answer page is just wrong now, because it gives the end user the impression they can reset their password using the security question/answer, when Esri took that functionality away in the patch.
It's not necessarily a big deal, but now we have end users that are creating meaningless security questions/answers AND being given incorrect guidance by Esri saying they can reset their password using a security question/answer, when in reality, they cannot do that anymore.
Yes, the Portal for ArcGIS Security 2026 Update 2 patch removed the ability to reset a password by security question and answer alone, but that security answer is still needed. When you have Portal configured with an SMTP server and a user selects the Reset Password option, they will be emailed a hyperlink. On that page they will still need to answer their security question before providing a new password.
Ah, that makes sense. The specific Portal I was working in did not have an SMTP server configured for email password resets. In this case, when a user attempts to reset their password, it asks them for their username, but then it just takes them back to the sign in page with no messages or anything. In my opinion, there needs to be a message or something that tells them it can't reset their password and to contact an administrator. It's just kind of odd that it goes right back to a sign in page with no additional information.
On a side note, even if we did have an SMTP server configured, it would only buy us a little time until Microsoft fully retires legacy authentication (which as of now, is December 2026). To my understanding, Portal does not support Microsoft modern authentication. At that point, it would be impossible for a user to reset a password on their own. And that would take us back to where we're at now, where a security question is essentially meaningless. I realize this is specific to Microsoft, but considering how large Microsoft is, I imagine others will be in this scenario.
This only applies to scenarios where built-in accounts are used. It is recommended to connect your own IdP (--> Hardening Guide). In that case password reset through ArcGIS would not be needed.