Forum Discussion
Elduderino
Jan 08, 2025Copper Contributor
Combined SSPR and MFA policy issue
I'm dealing with an issue after migrating to the new MFA and SSPR combined policy, something we need to complete before October 2025.
Old situation, before migrating to the new MFA policies:
- SSPR, separate policy. We do require 2 methods for resetting password, this may include weaker methods like SMS or Email.
- Legacy MFA policy with Microsoft and third-party authenticators only.
User experience:
When users are being asked to register an authenticator for the first time, they got the combined registration experience (2 steps) where they register their authenticator and a second authenticator for SSPR which was SMS or email.
When the user wanted to reset their password using SSPR they had to authenticate first with their authenticator and the next step was to enter a code they got by SMS or email.
All according to Microsoft recommendation and this all worked fine, until I migrated to the new combined MFA policies.
Issue:
I migrated to the new MFA policies and I still want to enforce 2 methods for SSPR, so an authenticator and SMS or email, however I don't want to allow users to use SMS or email for sign-in as it is not considered as safe.
To enforce strong authentication methods, I use "authentication strength" allowing Microsoft and third-party authenticators only. If I wouldn't use authentication strength, I would allow users signing in with SMS as well. (since we now have a combined policy)
However, this setup breaks the combined registration and SSPR interrupt mode, it simply doesn't work any more. As soon I apply the authentication strength, the users are only prompted to register an authenticator, combined registration is gone.
Funny is that it doesn't even work when I allow SMS in the authentication strength. It allows me to register SMS, still no combined registration (2 methods)
So basically, it means that users have to register their second method manually and afterwards in their personal sign-in properties, or I have to remove the 2 methods requirement from SSPR. I'm not in favour of doing this.
I submitted a ticket to Microsoft, but I have the feeling they don't understand my issue. They even suggested enabling "Password only" in the authentication strength, as combined registration then suddenly works. Surprising solution as it enables unsecure 1-factor authentication.
Anyone who was able to get SSPR and MFA combined registration working while using Authentication strength?
Take this:
- Review Combined Registration Settings:
- Ensure that the combined registration is correctly configured in your tenant.
- Check Authentication Strength Policies:
- Verify that the authentication strength policies are not conflicting with the combined registration process. You might need to adjust the policies to ensure that both strong authentication methods and the required SSPR methods are allowed.
- Enable Required Methods for SSPR:
- Make sure that the required methods for SSPR (e.g., SMS or email) are enabled in the authentication methods policy. This can be done in the Azure portal under Azure Active Directory > Security > Authentication methods.
- Test Different Configurations:
- Try different configurations to see if you can find a setup that works. For example, temporarily allow SMS in the authentication strength policy and see if the combined registration process works. If it does, you can then fine-tune the settings to meet your security requirements.
- Use Azure AD Conditional Access:
- Consider using Azure AD Conditional Access policies to enforce the use of strong authentication methods for sign-in while allowing weaker methods for SSPR. This can help you achieve the desired balance between security and usability.
- ElduderinoCopper Contributor
Thanks, but I went through all these steps. As soon authentication strength is enabled, it breaks combined registration, it only works when I enable single-factor Password in the authentication strength as well. Also, the interrupt mode stops when I use Authentication strength on my CA rules.
The new policies do make it impossible to use SMS only for password reset and not for sign-in, as we always could before.
- Review Combined Registration Settings: