SOLVED

All users receive "Your organization needs more information to keep your account secure" when logon

Copper Contributor

All users receive "Your organization needs more information to keep your account secure" when logon o365 web portal. 

Users can select "skip for now (XX days until is required)" but it will finally require all users to provide it.

 

I will have some user accounts to use on some applications or devices which must logon without multi-factor authentication and password should never changed.

 

I have checked that the multi-factor authentication page of the "MULTI-FACTOR AUTH STATUS" for all users are disabled.I also checked that the "Self service password reset enabled" is set to "none".

I don't have idea why all users still receive such message.
How can I disable this message and requirement to all user accounts?

 

Thank you.

 

message - your organization needs more information.png

 

23 Replies

@microc1 

 

It's almost certainly a Conditional Access Policy.

 

Is the "End user protection (Preview)" baseline enabled?

 

best response confirmed by microc1 (Copper Contributor)
Solution

Thank you for the hint.

 

Finally solved by:
Azure Active Directory > Properties
Manage security defaults
set Enable security defaults to No

@microc1 

 

CHECK THE SCREENSHOT BELOW MAKE SURE YOU SEARCH FOR THE PROPERTIES.

 

IF YOU DIDN'T CREATED AN AZURE ACCOUNT MAKE SURE YOU SIGN IN WITH YOUR ACCOUNT FACING THAT IS ISSUE. 

 

THE SOLUTION IS TOTALLY FREE DO NOT SIGN UP FOR ANY AZURE PLANS PROVIDED

@microc1 Thanks for your support this helped me to resolve the problem of login for users in my organization. Kind Rgards

Mankay-Sierra Leone West Africa

 
 
 
 

Azure Active Directory Setting.JPG

 
 

 

 

Instructions for setting up Self-Service Password Reset for companies using Azure Active Directory


Step 1 - Create a Security group in Office 365. To do this, go to https://portal.office.com and sign-in with your office 365 Global Administrator account > Select Admin Center.
Step 2 - On the left-Navigation pane, select Groups > Groups

Step 3 - Click on Add a Group. > Choose Security Group from the type drop-down > Give the group a name. Click Add.

Step 4 - Once the security group is created, navigate to the group and click Edit, next to members to add the user as the member of this security group.

Step 5 - Once you add the user as a member of the security group, then from the left navigation pane, expand Admin Centers and click on Azure Active Directory.

Step 6 - From Azure Active Directory Admin Center, choose Azure Active directory from the left menu.
Step 7 - From the Dashboard and option menu in the middle, click on Password Reset.
Step 8 - In the Password Reset properties page, choose Properties and select Selected to select a security group. You can also choose All if you want to enable SSPR for everyone.
Step 9 - Click on the group, then find the Select a Group desired security group from the list and click on select and then finally click on Save. Once saved, Self-Service Password Reset has been enabled for the users in the selected security group in your Office 365/Azure AD tenant, and you're done!
Esta respuesta me salvo la vida, no hallaba ya que más hacer !!
Thanks a lot for the screen shot, I was having a hard time finding the exact location!

Just pointing out that MS put those defaults there for a reason. You are disabling many security features instead of finding a solution to your specific issue. Hackers are now able to password spray your Exchange Online using IMAP / POP3 etc, among other things. Here's how to do it without undermining the security of the tenant:
1. Add any external IPs of the locations they will send from to Trusted IPs under MFA settings. In most cases you would do this for all company owned office locations. https://account.activedirectory.windowsazure.com/UserManagement/MfaSettings.aspx
2. Set Password Reset Registration to No so that new users are not prompted to register.
https://portal.azure.com/#blade/Microsoft_AAD_IAM/PasswordResetMenuBlade/Registration
3. If you need to send SMTP email through Exchange Online (e.g. from a printer), create an account with exchange license to use for sending.
https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview
4. Load Cloud Shell from top of the Azure Portal. Connect to Exchange:
Connect-EXOPSSession
5. Create an Authentication Policy:
New-AuthenticationPolicy -Name "Allow Basic Auth SMTP" -AllowBasicAuthSmtp
6. Assign the policy to the user:
Get-User user@domain.com | Set-User -AuthenticationPolicy "Allow Basic Auth SMTP"
7. Force policy to apply within 30 minutes:
Set-User user@domain.com -STSRefreshTokensValidFrom $([System.DateTime]::UtcNow)

 

Reference:

https://www.howdoiuseacomputer.com/index.php/2021/09/16/do-not-disable-security-defaults/

Thanks, SimBur! I had the issue today, because I thought I'd do my client a favor and enable self password reset, but this seemed to be a side-effect. Really didn't want to disable security defaults, so your post was perfect (I used the link under your #2). It is odd how, by default, they REQUIRE all users to set up authentication methods on first sign-in if self-password reset is enabled, rather than just leave it optional. And then they let that page be buggy. :\
I agree with you SimBur that SSPR, MFA, Security Defaults are useful features for the vast majority of users in the tenancy. However in even a modest tenancy there are often 'edge cases' that must be accommodated. The problem sysadmins are trying resolve is, how to exclude a selected group from the security defaults. Unfortunately the choice provided by the admin portal is to include everyone or only a selected group - The opposite of what is required.

@SimBur2365

None of your suggestions make any sense for my scenario.  I can't login to Teams with MY account even though I'm the org admin.  We don't use Exchange online, we have Exchange on prem.  I already have 2FA enabled for my account.  After approving in the MS authenticator app I get the message "Your organization needs more information to keep your account secure."
Well, what f***** information does it want?
 

@d_logaan you just told me the problem... you are using an admin account for your day to day use. Create yourself a could-only account email address removed for privacy reasons. This doesn't need to be licensed. Give it a 32+ character password. Assign only the admin roles you need (not Global Admin). Create a browser profile in edge or chrome so you can easily switch to that account when required for admin tasks. Now create an emergency admin account (two even better)... with 64+ character passwords and save them in a password vault or similarly secure location. Only use those when you must have Global Admin rights to perform a task (this will not be very often).

Now remove any admin roles from your day to day account so that if you get compromised they can't highjack your entire tenant.

If you don't want to do that then go to https://myaccount.microsoft.com and register another couple of methods like SMS and Email.

Cheers =) 

PS - IMO it's becoming a no-brainer to go for Business Premium for up to 300 users, or an AD Premium add-on for more than 300. Having the granular control over these settings is worth it, and you get full Defender Antivirus, phishing and DLP protection etc.  Appreciate that may not fit your scenario for some reason.

The issue for me was having enabled self-service password reset. Once I reverted that setting I was able to function with that account again as normal @microc1 

I believe the problem was that there were not sufficient email/phone numbers listed for the account to enable self-service. 

 

The issue persists for me. I have self serve password rest on. the security defaults are off, there is no conditional access policy. I have cleared out all cache on browser along with site info. The look is still there. I can do it until my heart is content. I have reviewed the users logs and it keeps saying it will send the user the info to check upon next login. It continues to loop and the user cannot log in. Please assist on a resolution.

Thank you!

@nick242 for me the only way I found out was to disable self service password resets. Have bot identified what it is within that setting causing me the issue (loop).

Hallo people. I got the same problem when I try to login into my azure account. I already changed the password but not changes, still I can not get access.
I have read the advices but for most of them, it is required to log in in order to make some changes. I haven no clue what to do
We had a similar problem for technical users, prompting for setting mail or phone verification.

Our solution was to set "self service password resets" only for human accounts, which we handled by creating a specific group.
Thanks Thomo
1 best response

Accepted Solutions
best response confirmed by microc1 (Copper Contributor)
Solution

Thank you for the hint.

 

Finally solved by:
Azure Active Directory > Properties
Manage security defaults
set Enable security defaults to No

View solution in original post