Forum Discussion

John Gruber's avatar
John Gruber
Brass Contributor
Feb 07, 2023

Is it possible to limit where users can reset their passwords in Microsoft 365?

Hello,

 

I'm discussing enabling Self-service password reset with a customer and they are concerned that someone could reset the password from anywhere. Is it possible to create a conditional access policy that limits the IP addresses that a user can perform a SSPR from?

 

I know you can limit where the user signs up for SSPR/MFA but I'm wondering how to create a conditional access policy (or something else) that restricts user's to an IP address to perform the SSPR.

 

Thanks,

John

  • Wouldn't it be better increasing the number of authentication methods required for SSPR to improve security? As I am assuming the customer already have the most common conditional access policies activated anyway? (referring to your previous post about top conditional access policies 😉

Resources