Home

Can we require MFA for SSPR enrollment?

%3CLINGO-SUB%20id%3D%22lingo-sub-132424%22%20slang%3D%22en-US%22%3ECan%20we%20require%20MFA%20for%20SSPR%20enrollment%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-132424%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EIs%20there%20a%20way%20to%20require%20MFA%20for%20SSPR%20(self-service%20password%20reset)%20enrollment%3F%20This%20would%20be%20ideal%20for%20our%20tenant%20to%20ensure%20a%20valid%20user%20(not%20just%20having%20the%20password)%20authenticates%20with%20MFA%2C%20or%20other%20Conditional%20Access%20policies%2C%20in%20order%20to%20do%20initial%20SSPR%20enrollment.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EI'm%20not%20so%20much%20concerned%20with%20the%20reset%20process%2C%20just%20the%20enrollment%20process%20right%20now.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThanks!%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-132424%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMulti-Factor%20Authentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Epassword%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESelf%20Service%20Password%20Reset%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-369380%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20we%20require%20MFA%20for%20SSPR%20enrollment%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-369380%22%20slang%3D%22en-US%22%3E%3CP%3EHello%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDid%20you%20manage%20to%20achieve%20this%2C%20we%20are%20looking%20at%20trying%20to%20work%20out%20the%20exact%20same%20scenario.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EConditional%20access%20for%20the%20SSPR%20setup%20process%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-192898%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20we%20require%20MFA%20for%20SSPR%20enrollment%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-192898%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E!%20Do%20you%20or%20anyone%20else%20with%20experience%20on%20this%20have%20an%20update%20on%20how%20this%20can%20be%20accomplished%3F%20I'm%20pretty%20sure%20the%20enrollment%20processes%20are%20still%20segmented.%20Any%20way%20to%20identify%20the%20SSPR%20enrollment%20page%20and%20create%20a%20Conditional%20Access%20rule%20for%20that%20app%2C%20requiring%20registration%20to%20come%20from%20an%20Intune-managed%20device%2C%20an%20MFA%20challenge%2C%20or%20both%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20know%20Conditional%20Access%20can%20do%20this%2C%20just%20not%20sure%20if%20the%20%22SSPR%20Registration%22%20page%20is%20considered%20an%20Enterprise%20Application%20in%20the%20AzureAD%20admin%20portal%20so%20I%20can%20apply%20this%20rule%20to%20it.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-132635%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20we%20require%20MFA%20for%20SSPR%20enrollment%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-132635%22%20slang%3D%22en-US%22%3E%3CP%3EI%20believe%20they%20have%20plans%20to%20unify%20the%20SSPR%20and%20MFA%20enrollment%20processes%2C%20so%20you%20will%20have%20the%20same%20experience%20with%20both.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-422375%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20we%20require%20MFA%20for%20SSPR%20enrollment%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-422375%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F300829%22%20target%3D%22_blank%22%3E%40Nigelarnold%3C%2FA%3E%26nbsp%3Bportal.azure.com%20%26gt%3B%20Azure%20Active%20Directory%20%26gt%3B%20User%20Settings%20%26gt%3B%26nbsp%3BManage%20settings%20for%20access%20panel%20preview%20features%20%26gt%3B%26nbsp%3BUsers%20can%20use%20preview%20features%20for%20registering%20and%20managing%20security%20info%20%E2%80%93%20enhanced%20to%20Yes.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThen%26nbsp%3Bportal.azure.com%20%26gt%3B%20Azure%20Active%20Directory%20%26gt%3B%20Password%20reset%20%26gt%3B%20verify%20All%20is%20set%20and%20then%20under%20Registration%20you%20have%20%22Require%20users%20to%20register%20when%20signing%20in%3F%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20will%20force%20MFA%2FSSPR%20registration%20the%20next%20time.%20Just%20prepare%20your%20users%20you%20will%20enable%20this%20because%20otherwise%20they%20will%20get%20confused.%20You%20can%20also%2C%20before%20forcing%20registration%2C%20ask%20everyone%20to%20manually%20perform%20registration%20at%20aka.ms%2Fsetupsecurityinfo.%20Not%20that%20you%20need%20to%20enable%20the%20preview%20feature%20above%20before%20this%20URL%20is%20available.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-427783%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20we%20require%20MFA%20for%20SSPR%20enrollment%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-427783%22%20slang%3D%22en-US%22%3EHi%20-%20Do%20you%20have%20any%20end%20user%20support%20or%20comms%20template%20for%20this%3F%20TIA%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-433950%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20we%20require%20MFA%20for%20SSPR%20enrollment%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-433950%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F123820%22%20target%3D%22_blank%22%3E%40Faiza%20Qadri%3C%2FA%3E%26nbsp%3BI've%20found%20these%20from%20Microsoft%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fmfatemplates%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2Fmfatemplates%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fuser-help%2Fsecurity-info-setup-signin%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fuser-help%2Fsecurity-info-setup-signin%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Chris Smith
Contributor

Is there a way to require MFA for SSPR (self-service password reset) enrollment? This would be ideal for our tenant to ensure a valid user (not just having the password) authenticates with MFA, or other Conditional Access policies, in order to do initial SSPR enrollment.

I'm not so much concerned with the reset process, just the enrollment process right now. 

 

Thanks!

6 Replies

I believe they have plans to unify the SSPR and MFA enrollment processes, so you will have the same experience with both.

Thanks @Vasil Michev! Do you or anyone else with experience on this have an update on how this can be accomplished? I'm pretty sure the enrollment processes are still segmented. Any way to identify the SSPR enrollment page and create a Conditional Access rule for that app, requiring registration to come from an Intune-managed device, an MFA challenge, or both? 

 

I know Conditional Access can do this, just not sure if the "SSPR Registration" page is considered an Enterprise Application in the AzureAD admin portal so I can apply this rule to it. 

 

Thanks! 

Hello

 

Did you manage to achieve this, we are looking at trying to work out the exact same scenario.

 

Conditional access for the SSPR setup process

 

Thanks

@Nigelarnold portal.azure.com > Azure Active Directory > User Settings > Manage settings for access panel preview features > Users can use preview features for registering and managing security info – enhanced to Yes.

 

Then portal.azure.com > Azure Active Directory > Password reset > verify All is set and then under Registration you have "Require users to register when signing in?".

 

This will force MFA/SSPR registration the next time. Just prepare your users you will enable this because otherwise they will get confused. You can also, before forcing registration, ask everyone to manually perform registration at aka.ms/setupsecurityinfo. Not that you need to enable the preview feature above before this URL is available.

Hi - Do you have any end user support or comms template for this? TIA
Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies