Forum Discussion
Combined SSPR and MFA policy issue
I'm dealing with an issue after migrating to the new MFA and SSPR combined policy, something we need to complete before October 2025. Old situation, before migrating to the new MFA policies: SSP...
Take this:
- Review Combined Registration Settings:
- Ensure that the combined registration is correctly configured in your tenant.
- Check Authentication Strength Policies:
- Verify that the authentication strength policies are not conflicting with the combined registration process. You might need to adjust the policies to ensure that both strong authentication methods and the required SSPR methods are allowed.
- Enable Required Methods for SSPR:
- Make sure that the required methods for SSPR (e.g., SMS or email) are enabled in the authentication methods policy. This can be done in the Azure portal under Azure Active Directory > Security > Authentication methods.
- Test Different Configurations:
- Try different configurations to see if you can find a setup that works. For example, temporarily allow SMS in the authentication strength policy and see if the combined registration process works. If it does, you can then fine-tune the settings to meet your security requirements.
- Use Azure AD Conditional Access:
- Consider using Azure AD Conditional Access policies to enforce the use of strong authentication methods for sign-in while allowing weaker methods for SSPR. This can help you achieve the desired balance between security and usability.
Thanks, but I went through all these steps. As soon authentication strength is enabled, it breaks combined registration, it only works when I enable single-factor Password in the authentication strength as well. Also, the interrupt mode stops when I use Authentication strength on my CA rules.
The new policies do make it impossible to use SMS only for password reset and not for sign-in, as we always could before.
Hit this roadblock today while testing SSPR .Any white smoke from Microsoft??
May need to log a case myself.
