Forum Discussion

brentmattson's avatar
brentmattson
Brass Contributor
Oct 17, 2024

Challenges with New MFA and SSPR Policies: Need Guidance

I am currently transitioning our Self-Service Password Reset (SSPR) and Multi-Factor Authentication (MFA) to the new Authentication Methods policy, moving away from legacy policies. However, the lack of clarity on which methods are compatible with both scenarios is quite frustrating, and I wonder if I might be missing something.

 

Our goal is to exclusively use the Authenticator app and security keys for both MFA and SSPR, eliminating all other methods. Additionally, we want to maintain the requirement of two methods (Authenticator app and security key) for password changes. We are in the process of distributing security keys to all staff.

 

The issue I’m encountering is that while Microsoft promotes this new portal as a unified solution for both MFA and SSPR, not all methods are supported across both. Specifically, the security key does not currently work for SSPR. If I am unable to use the security key for SSPR and must resort to a less secure second method, I would at least like to disable that less secure method for MFA. However, it seems there is no way to configure this in the policy.

 

Am I on the right track here? I am aware that Authentication Strengths can be configured—perhaps this is where I should focus?

 

Any advice or discussion would be greatly appreciated.

Resources