Hello there! This week I thought I will write one more article on Conditional Access Policies. As you know setting up an access policy is easy and it is basically mandatory to have one or more polices now, but you may have internal polices where anyone who is registering for MFA must do that in a trusted network so bad actors will not be able to intercept or impersonate your users data. So lets see how to achieve this with.
Simply put, I will be exploring the Combined Security Registration feature that covers MFA and SSPR and how to set it to be signed up for in a secure network.
With this I will be achieving 2 things.
- Users can only register their details (Authenticator App and/ or mobile phone number) within a trusted network.
- Once the user is registered, they can use the same information for both MFA and Self Service Password Reset (SSPR) without having to register for 2 times.
Table of Content
- License Requirement
- Setup the Combined Security Registration Experience
- Create Trusted Networks
- Create the Conditional Access Policy
- User Experience in a Trusted Network
- Check Registration Insights
- What If The User Tries to Register From a Different Network?
- Final Words
To get the process started, your users must have any M365 license that covers Azure AD Premium P1 at a minimum.
Setup the Combined Security Registration Experience
Earlier the process was user needs to register for MFA and Self Service Password Rest (SSPR) using 2 URLs and in 2 separate processes. Now things have been changed and if the Combined Security Registration is ON for selected users or for All users, those users can use MFA, SSPR registration or use the Security info update page in my account section to register.
Newer tenants will get the Combined Security information registration setting ON for all for all users by default. However for older tenants, you still have to check and set it first.
Azure AD Portal > Azure Active Directory > User Settings > Manage User Feature Settings >
As you can see below because my tenant is a new tenant, the setting is ON by default
From the users end, they can use below URL to register.
Now that we looked at this setting. Lets head to the Access Policies section
Create Trusted Networks
Azure AD Portal > Azure Active Directory > Security > Named Location
Use Countries locations, IP ranges location options to add the trusted locations and label then and that can be used when you are creating the Conditional Access Policies
Create the Conditional Access Policy
- Determine your user groups or if you need to apply to all users. Make sure you don’t lock your self!
- Under Actions > under Cloud Apps or Actions, select User actions > check Register Security Information
- Under Conditions > Select Locations and select All Locations under Include and go to Exclude and select All Trusted locations (previously created trusted locations will be added to the scope)
- Under Grant > select Block access
- Once done, select ON for Enable Policy option
User Experience in a Trusted Network
User Logon to the URL https://aka.ms/setupsecurityinfo and they will receive below page.
Check Registration Insights
Check the below steps to identity who has registered for MFA and SSPR.
Azure AD Portal > Azure Active Directory > Password reset > Usage and insights
Further drill in to identify the users
What If The User Tries to Register From a Different Network?
Simply they will get the below error as the location they are trying to register for MFA is not identified as a trusted location, this will force them to simply register from a trusted network.
What did above is simply 2 features to get started with MFA and SSPR, however you can simply use the combined registration only and let users signup from anywhere. However, if you have strict security policies, it’s best you limit signup functionality from your trusted networks. Read more about MFA in my previous article https://shehanperera.com/2022/05/03/aad-cap101/