Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Combined registration for Azure AD MFA and Self Service Password Reset plus two other cool updates now in public preview!
Published Sep 07 2018 09:20 AM 41.4K Views
First published on CloudBlogs on Aug, 06 2018
Howdy folks, Today, I am excited to share some really cool improvements to Multi-Factor Authentication (MFA) and self-service password reset (SSPR) that are now in public preview! We’ve heard from our customers that having two different registration experiences causes confusion and frustration. Now, users can register once and get the benefits of both MFA and SSPR—eliminating having to register their security info for these features twice. This allows administrators to create and maintain a single set of documentation for their users and greatly simplifies the helpdesk scenarios. We received a lot of positive feedback from customers who have been using the private preview of these improvements and now we're excited  to share them with all of you. Keep reading to learn more about these improvements!

Register for MFA and SSPR in a single experience

In the current Azure AD experience, users who are enabled for both MFA and SSPR must register their security info in separate experiences. We've heard from you that this causes confusion and frustration for users, especially if they have to register the same info, such as phone number, twice.

Before: MFA registration experience.

Before: SSPR registration experience.

With the new combined experience users can register their security info for both MFA and SSPR in a single, combined flow. This means users get to register once and benefit from both features!

A single, updated security info registration experience.

After registering, users can manage their security info from their profile or by going to security info registration .

Profile page with Edit security info link to manage security info.

Here users can add more security info, change or delete previously registered info, and choose their default methods for MFA.

Security info management page.

Users who previously registered for MFA or SSPR through the separate experiences can manage their registered info through this new experience. We have created new documentation for this experience that shows users how to register and manage their security info. We recommend that you review this documentation and use it to prepare your users for the new experience. In particular, users who are familiar with the previous app password registration experience should follow the steps listed in our apps passwords tutorial to register app passwords in the new experience. You can enable this experience for a group of users or all users in your organization today by following these steps . You can also let us know about your experience with this preview by filling out our survey .

Improved registration experience for the Microsoft Authenticator app

Not only does this new experience give users the ability to register for two features at once, but we also made each step in the registration process more intuitive. In particular, we improved the registration experience for the Microsoft Authenticator app (or any other authenticator app). Clear instructions and illustrations walk users through each step of registering their authenticator app. In addition, users who register from their mobile device can setup their account in the Microsoft Authenticator app with a single tap.

First step in the Microsoft Authenticator app registration experience.

To learn more about registering the Microsoft Authenticator app, check out our user guide .

Reset passwords using Microsoft Authenticator

Users who register the Microsoft Authenticator app (or another authenticator app) through the new security info registration experience or the current MFA registration experience can use an authenticator app to prove who they are to reset their password.

Mobile app options in Password reset settings.

You can quickly enable this feature from the Azure AD portal under Password reset settings—simply check the Mobile app notification and Mobile app code options. To learn more about how to enable your users to reset their password using the Microsoft Authenticator app, check out our documentation .

Tell us what you think

As always, we want to hear any feedback or suggestions you have. Please let us know what you think in the comments below or send us an email at ssprfeedback@microsoft.com . Best regards, Alex Simons (Twitter: @Alex_A_Simons ) Director of Program Management Microsoft Identity Division
35 Comments
Copper Contributor

not working for me. where can I get more help with this?

Copper Contributor

I tested with a new user and see what is described.  For an existing user that had MFA previously, after resetting MFA methods, it initially requests Phone and Email instead of Authenticator app/phone (and no option to register authenticator app).  Why the difference?

Copper Contributor

not working for me. one user attempting to go to the page https://aka.ms/setupsecurityinfo gets this:

image.pngwhile my user account when attempting to go to https://aka.ms/setupsecurityinfo gets stuck in some sort of page loop that goes on for quite a few loops then I get either the above error or sometimes I get the right page...… I think???

 

image.png

 

the fact that I am stuck in a page loop for so long I am sure is not right even if I do land on the correct page. so something is wrong I am sure and I am not sure where to go to get help. I tried opening a ticket with Azure but that went nowhere

Iron Contributor
Do you know when it's gonna work again? It's really very important feature which impacts on end-user experience and we would like to start to leverage it sooner than later.
Copper Contributor

I hope you listen on the feedback regarding the default MFA options. When we activate a new user we don't want them to add phone number and activate MFA by text/phone, we want them to activate by Microsoft Authenticator. At the moment there is no way to add authenticator app when you following the new user MFA setup, phone should be the secondary option and the end user should not be able to change the phone number provided from Azure AD. This is a major security concern in a lot of enterprise companies

 

 

Copper Contributor

still not working and still no answers either

Iron Contributor
@Johan Schmidt, I’m not sure whether the ability to restrict an update of a phone number, used by a user as a second factor for authentication, is a requirement for all enterprises. I know at least few companies, including my current one, where users should be able to proceed with self registration without exposing their personal mobile numbers to Azure AD.
Copper Contributor

@Alexey Goncharov My thoughts is about the possibility for administrators to configure the order presented to end user and to add a possibility to automatically provision and lockdown the attribute "Authentication Phone" for end users. I agree with your suggestion to have this possibility to change authentication phone as a Self Service, but it should also be possible for to lock it down and use auto provisioning in those cases their it is needed, that's something missing today , and the current update of the user experience is forcing even more end user to get stuck in text/phone behavior instead of using Authenticator App.

 

Iron Contributor
@Johan Schmidt Agreed, it would be great to add MS Authenticator as preferred option, including a capability to enroll a device and send URL for the app deployment on mobile iOS/Android device. Also, it would be great to make security questions as optional. Currently all our users have to set at least 3 security questions at SSPR portal during self sign up.
Copper Contributor

Hi, how can this new integration (and the entire SSPR feature) help in regards to users resetting their mfa device?

I mean, is there any new method to let users reset their mfa App when they loose their phone or change to a new device?

 

 

 

Steel Contributor

So far we've found the following optimal experience:

- Enable preview experience, and turn on a policy for SSPR that requires 2 methods for a reset.

- New users will be prompted to first register the Authenticator, and then a phone.

 

This is optimal because a user who changes phones can use SMS on their new phone until the Authenticator is reconfigured.

 

What I'd like to see:

- An option to force the user to do certain methods (Email, Security Questions) every time during setup.  For example, I'd like to let the user pick between Authenticator, Phone, etc.  but have to do Security Questions all the time.

 

Iron Contributor
Can we expect new combined registration for Azure AD MFA and Self Service Password Reset generally available by end of this year or it might be postponed until Q1'2019 or even H1'2019 ? I'm asking because our InfoSec team is exploring an opportunity to introduce 2FA for the entire company and currently working with other vendors due to some limitation of the existing solution provided by Azure MFA, including two portals and limited support of hardware tokens, which is in public preview as well. Thanks.

The new portal is better from old, because primary method is application and is better looking and working nicer in other browsers.

 

But there are still a few items to be addressed:

  • Setup will timeout sometimes and user must hit "retry" to setup correctly.
  • The link to this page is complicated from My Profile section from Office 365.
  • Option to sync easily preferred mobile phone to authentication with Azure AD Connect.
Steel Contributor

Any news on when this feature will go GA and be the default method for all tenants?

Copper Contributor

@ Microsoft is this thread monitored by MSFT? If no, where could we get some attention from Microsoft regarding some very important issues?

1. The prio order when registering MFA, i would like Microsoft authenticator app as the first available option, but there are others that need other options. The solution to the problem is that you let administrator of the tenant to choose the order.

2. Pre population of authenticator phone, right now this is empty, even if we got mobile phone and phone populateded from our AD/Azure AD, why is it empty? In the old MFA registration interface it was prefilled with mobile phone, but now it is empty!?

 

Tried to make a attention to the thread owner Alex Simons, but the system reject this

Steel Contributor

Could your 2) issue be that you need the phone number pre-populated with a space? See this link:  Note: There needs to be a space between the country code and the phone number.

 

Copper Contributor

Regarding (2.) SSPR is working and we are using a space between country code and phone number. But when we try to use the same information when activating MFA the phone number is suddenly empty. :(

Exactly the same here in our tenant as for @Johan Schmidt.

Steel Contributor

I havw reported this to the email address listed in this article several months ago.   I have noticed that after prepopulating the number it does not show in the list, but can be selected as a default authentication type.   After logging in and going through MFA once the number appears as expected.   I suspect it is due to the lack of verification on the number, and is obviously a bug. 

Steel Contributor

I hereby also can confirm that the on-premise AD attribute mobile which is sync'ed to Azure AD Mobile phone does not get pre-filled into SSPR as it did on the old SSPR setup page.

 

Side node. In the old SSPR portal it didn't matter the format of the attribute, you could put +1123456789, +1 23456789, +1-123456789 or even +1-(234)-56789 - it always corrected it and entered +1 23456789 as the required format according to documentation and also if you try to change it manually:

 

sspr.png

 

But now with the new converged SSPR/MFA the user can put whatever format they want including spaces and - and it will work and be saved to Azure AD.

 

And I agree with other comments, we need a way to force/recommend the order so we push more users to Authenticator app rather than text message.

Steel Contributor

We have found that if you enable the user for self service password reset at the same time as conditional mfa it will prepopulate Authenticator as the default option. 

 

If you set the SSPR requirement to 2 factors needed for a reset, the preview portal prepopulates with Authenticator and SMS as two options that the user must complete.  This is the route we are taking. 

 

Microsoft

Hi folks! Thanks for the great comments on this thread and apologies for the delayed response. The best way to get help is to submit a support ticket through the Azure AD portal or you can reach out to ssprfeedback@microsoft.com with questions. Thank you!


Copper Contributor

Is anyone having trouble with company branding not showing up in the combined registration?  I can see it's trying to pull the branding while the page is loading, but the Microsoft default appears instead.



 

Steel Contributor

You mean in the top left corner? This shows our company logo for us.

Steel Contributor

Our logo is working properly as well.

Steel Contributor

Seems like Microsoft has released another preview, calling it "Users can use preview features for registering and managing security info - refresh". I just enabled it and it includes a lot of new interesting features for the user's profile page (as far as I can understand via https://myprofile.microsoft.com/ once you have enabled it) like Recent Activity. It also seems to feature a new process for registering and choosing a default MFA authentication method which I haven't tried on a deeper level yet.

 

mfa-sspr_v2.png

Let's get testing!

Brass Contributor

I tried this myself, but need to do a "new user experience" to see how it compares to the existing preview experience.  The other activity screens look interesting.  They need to focus on the enrollment experience, above all.

Copper Contributor

Sorry to say, but Microsoft havn't listen to our requests at all :(

New user setup is still as bad as the first release.

1. It is still asking for mobile phone as the first option for MFA, and you still need to go back to the portal to add Microsoft Authenticator :(

2. Mobile phone number is not prefilled from AzureAD, and users can fill in whatever they want

 

The portal looks great, but when you click on different options it open up new tabs instead of having staying in the same window. 

Copper Contributor

Hi @Alex Simons (AZURE) / @Sadie Henry  /All - I'm taking a look at "Users can use preview features for registering and managing security info – refresh" in my test tenant and like it. One thing that jumped out at me as an organization that has a lot of guest users that we subject to Azure MFA is the "Your organization" verbiage on the screens:

 

Screenshot - 04-Mar-19 , 10_20_35 AM.png

 

We have some guest users whose employers also use Azure AD - which sometimes leads to user confusion over what org the user is interacting with. I think these screens would be better if you used the tenant name/description rather than the generic "your org" (which is not actually correct in the case of a guest). Even better if you used the custom branding in order to provide more visual cues as to who the user is interacting with.

 

Thanks!

Microsoft

Hi @watersjeremy - thanks for the feedback! We'll look into potentially integrating the tenant name into the "your organization" wording. In the meantime, the tenant name will show up in the upper-left corner and we are looking to also add the custom branding image/logo there as well. 

Iron Contributor
@Sadie Henry it would be great if Microsoft is able to integrate both, tenant name and a branding logo as well. :thumbs_up:
Microsoft

@Alexey Goncharov the tenant name will show up in the upper left corner, but we're looking to add the branding logo as well :)

Copper Contributor

This is really great feature. We have enabled SSPR, we have Conditional Access forcing MFA when off prem (Using the locations feature to determine on prem).

 

So MFA is applied whenever you're offsite.

 

We'd like to enable Enforce MFA Registration or manually Enable MFA for each user. Ideally to boost our secure score.

 

What is recommended in this scenario?

 

Cheers

Microsoft

@Pete99 great question! I would not recommend enforcing MFA on a per-user basis. It sounds like you're already heading down the right path by requiring MFA through CA. I would recommend that you continue to leverage CA to protect sensitive resources. I'm not exactly sure how that would contribute to secure score, but I would assume it will only help you. :)

Iron Contributor
Are you aware when these new features will become GA ?
Version history
Last update:
‎Jul 24 2020 01:55 AM
Updated by: