Forum Discussion
virtual-tech
Jan 30, 2025Brass Contributor
O365 SSPR require users to register when signing in
Hi Everyone
Can someone please shed some light on this. In Azure SSPR under password reset>registration> require users to register when signing in Yes or No. Below is MS website explanation. Does that mean if I set it to Yes, if users go to office.com they are prompted to register in SSPR? What are the down side of choosing no,
You can enable the option to require a user to complete the SSPR registration if they use modern authentication or web browser to sign in to any applications using Microsoft Entra ID. This workflow includes the following applications:
- Microsoft 365
- Microsoft Entra admin center
- Access Panel
- Federated applications
- Custom applications using Microsoft Entra ID
When you don't require registration, users aren't prompted during sign-in, but they can manually register
- Ahmed_Masoud97Iron Contributor
Hello ,
If you set it to yes users will be prompted to register for SSPR when signing in via supported apps, ensuring they are prepared for password recovery. If set to No, they won’t be required to register automatically but can do so manually, which may cause issues if they forget their password later.
- virtual-techBrass Contributor
VasilMichevIf enabled SSPR registration that impacts every service below right? Example if I have SSO application in Azure and that's what launch first thing logging in their computer, it will prompt for SSPR registration?
- Microsoft 365
- Microsoft Entra admin center
- Access Panel
- Federated applications
- Custom applications using Microsoft Entra ID
We have warehouse people that access SSO application registered in Azure and they were being prompted for SSPR registration. Turning SSO registration off seem to help and prompt went away.
It will trigger on any login attempt, regardless of the app.
It's pretty much explained in the quoted text above. If you enable SSPR registration, users will be prompted to register their methods during login. Much like the MFA registration process works. If you do not configure/force registration, they can still go to the MyAccount page and configure methods therein. The obvious downside is that you have to rely on the user itself to do the registration, and potential scenarios where they end up needing to reset their password without any recovery methods configured.