Self Service Password Reset without being forced to have MFA enabled
We have enrolled MFA for parts of our company (Guests, IT department, parts of the administration) so far and are slowly pushing forward. MFA is controlled by a Conditional Access policy where users or groups are added manually.
At the same time we are currently implementing SSPR for our company. SSPR is set to "selected" and not to "all". That means we have a group where we add users to get SSPR enabled for them. This is how it is set up:
If we enable SSPR for a user that has not being enabled for MFA by conditional access yet then this user is facing issues to set up his Self Service Password Reset questions. He is forced to register MFA what we do not want at this point (that is why we have not added him to the MFA Conditional Access policy at this point).
Is there a way to make the users register SSPR for their account but not being forced to register MFA yet? Is it even possible to enable SSPR without MFA?
We know that MFA is highly recommended. We are working on the full rollout. But there are users that are not ready yet.
This is what the user is facing when SSPR is enabled for him but MFA is not yet enforced by conditional access:
Says: Protect your account. Microsoft Authenticator. Get the app first.
Found the solution by reading my own post after posting.
Just uncheck "mobile app code" restore option for SSPR and the users will not be forced/lead to register the app as a primary option for SSPR.
When they sign in the next time they will be lead to 5 questions instead.