Forum Discussion
SSPR registration enforcement with Combined Registration Enabled
Hi, We have the Combined Registration for MFA and SSPR enabled as described here, https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-registration-mfa-sspr-combined, and ...
I was not aware of this selection. We usually force registration of all users with portal.azure.com > Azure Active Directory > Password > Registration. However, that is all or nothing.
We also often use Conditional Access ans only require MFA on certain scenarios (like external access) that will kick off the combined MFA/SSPR registration. This can be applied to a group so you only force a few users at a time.
But would be interesting to see if this works since then you can really stage registration for a few users at a time.
We also often use Conditional Access ans only require MFA on certain scenarios (like external access) that will kick off the combined MFA/SSPR registration. This can be applied to a group so you only force a few users at a time.
But would be interesting to see if this works since then you can really stage registration for a few users at a time.
- We have tested the registration enforcement through the MFA Registration Policy, in Azure AD, under Security->Identity Protection->MFA Registration, that works really well. You can target it at specific users via AAD groups. The only issue for us is that by default it gives users only 14 days to register, after that they cannot skip it anymore and are forced to do it.
The old SSPR registration enforcement actually allowed people to continue to skip the registration indefinitely, something we actually want.- I agree on the MFA Registration works well too, just notice that you need Azure AD Premium P2 for this.
