Blog Post

Microsoft Entra Blog
2 MIN READ

Conditional access for the Azure AD combined MFA and password reset registration experience

Alex_Simons's avatar
Alex_Simons
Icon for Microsoft rankMicrosoft
May 16, 2019

Howdy folks,

 

More and more organizations are using Multi-Factor Authentication (MFA) to protect their access and self-service password reset (SSPR) to reduce support costs and empower their users to manage their credential recovery. Our internal studies show that customers can cut their risk of account compromise by 99% by enabling MFA, so we’re REALLY happy to see this growing trend.

 

With this increasing usage, we also heard loud and clear that you want to control the conditions in which security sensitive MFA or SSPR information can be registered. This helps ensure it’s the right user—not an attacker—registering this security sensitive info.

 

Some common restrictions you requested include ensuring that:

  • Users are on a trusted network.
  • Only users with a low sign-in risk can register security information.
  • Users can only register on a managed device.
  • Users should agree to a terms of use during registration.


We heard you loud and clear!

 

Today, I am excited to announce the public preview of Azure AD conditional access for our combined registration experience for MFA and SSPR. Many of our largest customers have already been using this while it was in private preview to simplify rolling out MFA and SSPR and we’re looking forward to making it more broadly available as part of Azure AD Premium P1 subscription.

 

Here are some instructions to try this out!

 

Getting started

First, create a policy to block registration for users that are not on the corporate network, but are still allowed to manage credentials from anywhere, as long as they can use MFA.

 

Next, make sure that all users you want to apply this policy to are part of the MFA and SSPR preview. This is required because users not on the preview will use the older security information page and the policy will not be enforced.

 

Steps for setting up policy

 

  1. Include the users the policy will apply to using the Users and groups.
  2. Apply policy to the Register security information action, which is now included in the Cloud apps or actions.



  3. Set the Locations. Include Any location; exclude all trusted networks.

  4. Set the access grant control to require multi-factor authentication.
  5. Enable policy and Save.


Now, if a user is outside of a trusted network and attempts to register MFA for the first time, they’re blocked and shown the following message:

 

 

As soon as they register MFA, they’ll be able to manage MFA and SSPR registration details from anywhere.

 

Go ahead and give it try today!

 

See our Azure AD conditional access documentation for additional information. We’d also love to hear your feedback. If you have a couple minutes please consider filling out our survey. You know we’re listening!

 

Best regards,

 

Alex Simons (Twitter: @Alex_A_Simons)
Vice President of Program Management
Microsoft Identity Division

Updated Nov 09, 2023
Version 24.0
Alex_Simons's avatar
Icon for Microsoft rankMicrosoft
Joined May 01, 2017
View Profile
Microsoft Entra Blog
Stay informed on how to secure access for employees, customers, and non-human identities, from anywhere, to multicloud and on-premises resources, with comprehensive identity and network access solutions powered by AI.

39 Comments

Show More
  • caleb_b's avatar
    caleb_b
    Former Employee
    Jun 04, 2019

     

    Rolf Troendle, I just tried to reproduce this using Office ProPlus and wasn't able to. Let me know if you are still seeing this and we can take a look.
  • caleb_b's avatar
    caleb_b
    Former Employee
    Jun 04, 2019

    mattiasnyholm, these examples are possible today using the preview. Instead of requiring MFA as the required access control just pick a terms of use page or require a compliant device.

     

  • Rolf Troendle's avatar
    Rolf Troendle
    Copper Contributor
    May 22, 2019

    Nice! We are already using the new portal and to be able to lock down MFA enrollment is perfect. 

    Access is blocked as expected from an untrusted device but from this device we are still able to enroll for MFA when using Word. If you add an account in Word from an untrusted device with a new user account (our CA policy needs MFA or hybrid joined deviced or compliant device) it tells the user to enroll for MFA and this works from word but not from the browser. 

    Any idea how to fix this?

  • andrii_ua's avatar
    andrii_ua
    Copper Contributor
    May 21, 2019

    Is it possible to do the same, but when the user is already registered?

    Meaning, if I want to force all of my users to use Authenticator App instead of sms or calls.. ?

  • mattiasnyholm's avatar
    mattiasnyholm
    Copper Contributor
    May 21, 2019

    This sounds promising! Since you mentioned a few examples I guess you have it on the roadmap. Can you share any more information on when it will be possible to require users to accept terms of use, and to require managed devices?

  • Brian Reid's avatar
    Brian Reid
    MVP
    May 17, 2019

    Phil Cook because the policy blocks access to the registration page. The rules of the policy is block access unless on a trusted network.

     

    You cannot do an allow if on trusted network policy because a user not on the trusted network would not be subject to the policy and therefore would get access to the registration page. See https://c7solutions.com/2019/05/register-for-azure-ad-mfa-from-on-premises-or-known-networks-only which I wrote up last week on how to set this up. 

  • Phil Cook's avatar
    Phil Cook
    Copper Contributor
    May 17, 2019

    In your example Alex, why are trusted locations being excluded? It feels like this is the wrong way round if you only want to allow MFA registration from a trusted location?