Home

Combined registration for Azure AD MFA and Self Service Password Reset plus two other cool updates now in public pr...

First published on CloudBlogs on Aug, 06 2018
Howdy folks, Today, I am excited to share some really cool improvements to Multi-Factor Authentication (MFA) and self-service password reset (SSPR) that are now in public preview! We’ve heard from our customers that having two different registration experiences causes confusion and frustration. Now, users can register once and get the benefits of both MFA and SSPR—eliminating having to register their security info for these features twice. This allows administrators to create and maintain a single set of documentation for their users and greatly simplifies the helpdesk scenarios. We received a lot of positive feedback from customers who have been using the private preview of these improvements and now we're excited  to share them with all of you. Keep reading to learn more about these improvements!

Register for MFA and SSPR in a single experience

In the current Azure AD experience, users who are enabled for both MFA and SSPR must register their security info in separate experiences. We've heard from you that this causes confusion and frustration for users, especially if they have to register the same info, such as phone number, twice.

Before: MFA registration experience.

Before: SSPR registration experience.

With the new combined experience users can register their security info for both MFA and SSPR in a single, combined flow. This means users get to register once and benefit from both features!

A single, updated security info registration experience.

After registering, users can manage their security info from their profile or by going to security info registration .

Profile page with Edit security info link to manage security info.

Here users can add more security info, change or delete previously registered info, and choose their default methods for MFA.

Security info management page.

Users who previously registered for MFA or SSPR through the separate experiences can manage their registered info through this new experience. We have created new documentation for this experience that shows users how to register and manage their security info. We recommend that you review this documentation and use it to prepare your users for the new experience. In particular, users who are familiar with the previous app password registration experience should follow the steps listed in our apps passwords tutorial to register app passwords in the new experience. You can enable this experience for a group of users or all users in your organization today by following these steps . You can also let us know about your experience with this preview by filling out our survey .

Improved registration experience for the Microsoft Authenticator app

Not only does this new experience give users the ability to register for two features at once, but we also made each step in the registration process more intuitive. In particular, we improved the registration experience for the Microsoft Authenticator app (or any other authenticator app). Clear instructions and illustrations walk users through each step of registering their authenticator app. In addition, users who register from their mobile device can setup their account in the Microsoft Authenticator app with a single tap.

First step in the Microsoft Authenticator app registration experience.

To learn more about registering the Microsoft Authenticator app, check out our user guide .

Reset passwords using Microsoft Authenticator

Users who register the Microsoft Authenticator app (or another authenticator app) through the new security info registration experience or the current MFA registration experience can use an authenticator app to prove who they are to reset their password.

Mobile app options in Password reset settings.

You can quickly enable this feature from the Azure AD portal under Password reset settings—simply check the Mobile app notification and Mobile app code options. To learn more about how to enable your users to reset their password using the Microsoft Authenticator app, check out our documentation .

Tell us what you think

As always, we want to hear any feedback or suggestions you have. Please let us know what you think in the comments below or send us an email at ssprfeedback@microsoft.com . Best regards, Alex Simons (Twitter: @Alex_A_Simons ) Director of Program Management Microsoft Identity Division
25 Comments
Occasional Contributor

not working for me. where can I get more help with this?

Established Member

I tested with a new user and see what is described.  For an existing user that had MFA previously, after resetting MFA methods, it initially requests Phone and Email instead of Authenticator app/phone (and no option to register authenticator app).  Why the difference?

Occasional Contributor

not working for me. one user attempting to go to the page https://aka.ms/setupsecurityinfo gets this:

image.pngwhile my user account when attempting to go to https://aka.ms/setupsecurityinfo gets stuck in some sort of page loop that goes on for quite a few loops then I get either the above error or sometimes I get the right page...… I think???

 

image.png

 

the fact that I am stuck in a page loop for so long I am sure is not right even if I do land on the correct page. so something is wrong I am sure and I am not sure where to go to get help. I tried opening a ticket with Azure but that went nowhere

New Contributor
Do you know when it's gonna work again? It's really very important feature which impacts on end-user experience and we would like to start to leverage it sooner than later.
Occasional Contributor

I hope you listen on the feedback regarding the default MFA options. When we activate a new user we don't want them to add phone number and activate MFA by text/phone, we want them to activate by Microsoft Authenticator. At the moment there is no way to add authenticator app when you following the new user MFA setup, phone should be the secondary option and the end user should not be able to change the phone number provided from Azure AD. This is a major security concern in a lot of enterprise companies

 

 

Occasional Contributor

still not working and still no answers either

New Contributor
@Johan Schmidt, I’m not sure whether the ability to restrict an update of a phone number, used by a user as a second factor for authentication, is a requirement for all enterprises. I know at least few companies, including my current one, where users should be able to proceed with self registration without exposing their personal mobile numbers to Azure AD.
Occasional Contributor

@Alexey Goncharov My thoughts is about the possibility for administrators to configure the order presented to end user and to add a possibility to automatically provision and lockdown the attribute "Authentication Phone" for end users. I agree with your suggestion to have this possibility to change authentication phone as a Self Service, but it should also be possible for to lock it down and use auto provisioning in those cases their it is needed, that's something missing today , and the current update of the user experience is forcing even more end user to get stuck in text/phone behavior instead of using Authenticator App.

 

New Contributor
@Johan Schmidt Agreed, it would be great to add MS Authenticator as preferred option, including a capability to enroll a device and send URL for the app deployment on mobile iOS/Android device. Also, it would be great to make security questions as optional. Currently all our users have to set at least 3 security questions at SSPR portal during self sign up.
Regular Visitor

Hi, how can this new integration (and the entire SSPR feature) help in regards to users resetting their mfa device?

I mean, is there any new method to let users reset their mfa App when they loose their phone or change to a new device?

 

 

 

Occasional Contributor

So far we've found the following optimal experience:

- Enable preview experience, and turn on a policy for SSPR that requires 2 methods for a reset.

- New users will be prompted to first register the Authenticator, and then a phone.

 

This is optimal because a user who changes phones can use SMS on their new phone until the Authenticator is reconfigured.

 

What I'd like to see:

- An option to force the user to do certain methods (Email, Security Questions) every time during setup.  For example, I'd like to let the user pick between Authenticator, Phone, etc.  but have to do Security Questions all the time.

 

New Contributor
Can we expect new combined registration for Azure AD MFA and Self Service Password Reset generally available by end of this year or it might be postponed until Q1'2019 or even H1'2019 ? I'm asking because our InfoSec team is exploring an opportunity to introduce 2FA for the entire company and currently working with other vendors due to some limitation of the existing solution provided by Azure MFA, including two portals and limited support of hardware tokens, which is in public preview as well. Thanks.

The new portal is better from old, because primary method is application and is better looking and working nicer in other browsers.

 

But there are still a few items to be addressed:

  • Setup will timeout sometimes and user must hit "retry" to setup correctly.
  • The link to this page is complicated from My Profile section from Office 365.
  • Option to sync easily preferred mobile phone to authentication with Azure AD Connect.
Contributor

Any news on when this feature will go GA and be the default method for all tenants?

Occasional Contributor

@ Microsoft is this thread monitored by MSFT? If no, where could we get some attention from Microsoft regarding some very important issues?

1. The prio order when registering MFA, i would like Microsoft authenticator app as the first available option, but there are others that need other options. The solution to the problem is that you let administrator of the tenant to choose the order.

2. Pre population of authenticator phone, right now this is empty, even if we got mobile phone and phone populateded from our AD/Azure AD, why is it empty? In the old MFA registration interface it was prefilled with mobile phone, but now it is empty!?

 

Tried to make a attention to the thread owner Alex Simons, but the system reject this

Contributor

Could your 2) issue be that you need the phone number pre-populated with a space? See this link:  Note: There needs to be a space between the country code and the phone number.

 

Occasional Contributor

Regarding (2.) SSPR is working and we are using a space between country code and phone number. But when we try to use the same information when activating MFA the phone number is suddenly empty. :(

Exactly the same here in our tenant as for @Johan Schmidt.

Occasional Contributor

I havw reported this to the email address listed in this article several months ago.   I have noticed that after prepopulating the number it does not show in the list, but can be selected as a default authentication type.   After logging in and going through MFA once the number appears as expected.   I suspect it is due to the lack of verification on the number, and is obviously a bug. 

Contributor

I hereby also can confirm that the on-premise AD attribute mobile which is sync'ed to Azure AD Mobile phone does not get pre-filled into SSPR as it did on the old SSPR setup page.

 

Side node. In the old SSPR portal it didn't matter the format of the attribute, you could put +1123456789, +1 23456789, +1-123456789 or even +1-(234)-56789 - it always corrected it and entered +1 23456789 as the required format according to documentation and also if you try to change it manually:

 

sspr.png

 

But now with the new converged SSPR/MFA the user can put whatever format they want including spaces and - and it will work and be saved to Azure AD.

 

And I agree with other comments, we need a way to force/recommend the order so we push more users to Authenticator app rather than text message.

Occasional Contributor

We have found that if you enable the user for self service password reset at the same time as conditional mfa it will prepopulate Authenticator as the default option. 

 

If you set the SSPR requirement to 2 factors needed for a reset, the preview portal prepopulates with Authenticator and SMS as two options that the user must complete.  This is the route we are taking. 

 

Microsoft

Hi folks! Thanks for the great comments on this thread and apologies for the delayed response. The best way to get help is to submit a support ticket through the Azure AD portal or you can reach out to ssprfeedback@microsoft.com with questions. Thank you!


Occasional Visitor

Is anyone having trouble with company branding not showing up in the combined registration?  I can see it's trying to pull the branding while the page is loading, but the Microsoft default appears instead.



 

Contributor

You mean in the top left corner? This shows our company logo for us.

Occasional Contributor

Our logo is working properly as well.