Forum Discussion
RippieUK
Dec 07, 2021Brass Contributor
CA template - Securing Security info registration
Can someone please explain to me how this template secure the process of registration of my users security info? It require MFA if they are not on a trusted location. Ok I get that bit but if the...
- Dec 07, 2021So I think we have got it sorted, we enabled "Users can use the combined security information registration experience" and then the the securing register security info CA policy now blocks people and they have to use a temporary access password to continue.
So i am all good now 🙂
BilalelHadd
Dec 07, 2021Iron Contributor
Hi RippieUK,
You would indeed require an MFA setup from a trusted location for security reasons, and I agree with this. However, since we are in a scenario where working from home is the standard, it's almost impossible to configure this Conditional Access Policy. Still, I would recommend using this method. You should provide your users the possibility to register from a trusted location, think of delivering registration from a VDI environment, a VPN connection, etc.
You've already mentioned that a user with bad intentions can do the same as what the user could. Pre-populating an MFA method is also possible, there are several methods available to achieve this:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-authenticationdata
https://identity-man.eu/2020/07/08/pre-configure-authentication-methods-for-end-users-in-azure-ad/
Good luck!
You would indeed require an MFA setup from a trusted location for security reasons, and I agree with this. However, since we are in a scenario where working from home is the standard, it's almost impossible to configure this Conditional Access Policy. Still, I would recommend using this method. You should provide your users the possibility to register from a trusted location, think of delivering registration from a VDI environment, a VPN connection, etc.
You've already mentioned that a user with bad intentions can do the same as what the user could. Pre-populating an MFA method is also possible, there are several methods available to achieve this:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-authenticationdata
https://identity-man.eu/2020/07/08/pre-configure-authentication-methods-for-end-users-in-azure-ad/
Good luck!
- RippieUKDec 07, 2021Brass ContributorSo I think we have got it sorted, we enabled "Users can use the combined security information registration experience" and then the the securing register security info CA policy now blocks people and they have to use a temporary access password to continue.
So i am all good now 🙂