Use Conditional Access Policies to Securely Register Security Information for MFA and SSPR

Hello there! This week I thought I will write one more article on Conditional Access Policies. As you know setting up an access policy is easy and it is basically mandatory to have one or more polices now, but you may have internal polices where anyone who is registering for MFA must do that in a trusted network so bad actors will not be able to intercept or impersonate your users data. So lets see how to achieve this with.

Simply put, I will be exploring the Combined Security Registration feature that covers MFA and SSPR and how to set it to be signed up for in a secure network.

With this I will be achieving 2 things.

  1. Users can only register their details (Authenticator App and/ or mobile phone number) within a trusted network.
  1. Once the user is registered, they can use the same information for both MFA and Self Service Password Reset (SSPR) without having to register for 2 times.

Table of Content

Licensing Requirement

To get the process started, your users must have any M365 license that covers Azure AD Premium P1 at a minimum.

Setup the Combined Security Registration Experience

Earlier the process was user needs to register for MFA and Self Service Password Rest (SSPR) using 2 URLs and in 2 separate processes. Now things have been changed and if the Combined Security Registration is ON for selected users or for All users, those users can use MFA, SSPR registration or use the Security info update page in my account section to register.

Newer tenants will get the Combined Security information registration setting ON for all for all users by default. However for older tenants, you still have to check and set it first.

Azure AD Portal > Azure Active Directory > User Settings > Manage User Feature Settings >

As you can see below because my tenant is a new tenant, the setting is ON by default

From the users end, they can use below URL to register.

Now that we looked at this setting. Lets head to the Access Policies section

Create Trusted Networks

Azure AD Portal > Azure Active Directory > Security > Named Location

Use Countries locations, IP ranges location options to add the trusted locations and label then and that can be used when you are creating the Conditional Access Policies

Create the Conditional Access Policy

  • Determine your user groups or if you need to apply to all users. Make sure you don’t lock your self!
  • Under Actions > under Cloud Apps or Actions, select User actions > check Register Security Information
  • Under Conditions > Select Locations and select All Locations under Include and go to Exclude and select All Trusted locations (previously created trusted locations will be added to the scope)
  • Under Grant > select Block access
  • Once done, select ON for Enable Policy option

User Experience in a Trusted Network

User Logon to the URL and they will receive below page.

Check Registration Insights

Check the below steps to identify who has registered for MFA and SSPR.

Azure AD Portal > Azure Active Directory > Password reset > Usage and insights

Further, drill in to identify the users

What If The User Tries to Register From a Different Network?

Simply they will get the below error as the location they are trying to register for MFA is not identified as a trusted location, this will force them to simply register from a trusted network.

Final Words

What did above is simply 2 features to get started with MFA and SSPR, however, you can simply use the combined registration only and let users signup from anywhere. However, if you have strict security policies, it’s best you limit signup functionality from your trusted networks. Read more about MFA in my previous article


One thought on “Use Conditional Access Policies to Securely Register Security Information for MFA and SSPR

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.