11-29-2017 12:11 PM
11-29-2017 12:11 PM
Is there a way to require MFA for SSPR (self-service password reset) enrollment? This would be ideal for our tenant to ensure a valid user (not just having the password) authenticates with MFA, or other Conditional Access policies, in order to do initial SSPR enrollment.
I'm not so much concerned with the reset process, just the enrollment process right now.
11-30-2017 12:07 AM
I believe they have plans to unify the SSPR and MFA enrollment processes, so you will have the same experience with both.
05-11-2018 06:32 PM
Thanks @Vasil Michev! Do you or anyone else with experience on this have an update on how this can be accomplished? I'm pretty sure the enrollment processes are still segmented. Any way to identify the SSPR enrollment page and create a Conditional Access rule for that app, requiring registration to come from an Intune-managed device, an MFA challenge, or both?
I know Conditional Access can do this, just not sure if the "SSPR Registration" page is considered an Enterprise Application in the AzureAD admin portal so I can apply this rule to it.
03-14-2019 04:12 AM
Did you manage to achieve this, we are looking at trying to work out the exact same scenario.
Conditional access for the SSPR setup process
04-09-2019 09:36 PM
@Nigelarnold portal.azure.com > Azure Active Directory > User Settings > Manage settings for access panel preview features > Users can use preview features for registering and managing security info – enhanced to Yes.
Then portal.azure.com > Azure Active Directory > Password reset > verify All is set and then under Registration you have "Require users to register when signing in?".
This will force MFA/SSPR registration the next time. Just prepare your users you will enable this because otherwise they will get confused. You can also, before forcing registration, ask everyone to manually perform registration at aka.ms/setupsecurityinfo. Not that you need to enable the preview feature above before this URL is available.
04-10-2019 09:07 PM
@Faiza Qadri I've found these from Microsoft: