Forum Discussion
Microsoft SSPR restrict access by location
Hello all,
The organization I work for has been seeing an uptick in the number of SSPR attempts being made against its users. I have been looking on these forums and on the web but have not seen a security control to prevent certain geographic IP locations from attempting SSPR. I understand you can use Conditional Access policies to restrict Named Locations from registering security methods but this is after the fact of a successful login. Ideally, it would be a benefit to restrict the attack surface of SSPR by having a fourth condition added to the SSPR workflow to check if an organization has restricted the ability to use SSPR to specific Named Locations as documented here.
We do have MFA options configured for end users, we have controls for travelling staff and we are receiving and monitoring alerts for these events but it would be helpful to restrict where SSPR can be accessed.
- The portal to change your password via self-service is a public portal. So you cannot secure it
JosvanderVaart Yes it is a public portal, however, my ask is to add another check to the existing three checks in the SSPR workflow that are in the link included in the original post:
1. Checks to see if user has SSPR enabled
2. Checks that the user has the right authentication methods defined on their account in accordance with administrator policy.
3. Checks to see if the user's password is managed on-premises.
Another check would be to see if the organization has allowed the use of SSPR in the user's geo-location. Since the above checks are being done already, why not the ability to limit the user's ability of where SSPR can be used?
- I agree that having this feature would be nice, but I fear we will have to wait until it is available as a target in Conditional access. We also had to wait very long to be able to control myapps.microsoft.com - Microsoft is a little inconsistent with their support for conditional Access.
