SOLVED

All users receive "Your organization needs more information to keep your account secure" when logon

New Contributor

All users receive "Your organization needs more information to keep your account secure" when logon o365 web portal. 

Users can select "skip for now (XX days until is required)" but it will finally require all users to provide it.

 

I will have some user accounts to use on some applications or devices which must logon without multi-factor authentication and password should never changed.

 

I have checked that the multi-factor authentication page of the "MULTI-FACTOR AUTH STATUS" for all users are disabled.I also checked that the "Self service password reset enabled" is set to "none".

I don't have idea why all users still receive such message.
How can I disable this message and requirement to all user accounts?

 

Thank you.

 

message - your organization needs more information.png

 

10 Replies

@microc1 

 

It's almost certainly a Conditional Access Policy.

 

Is the "End user protection (Preview)" baseline enabled?

 

best response confirmed by microc1 (New Contributor)
Solution

Thank you for the hint.

 

Finally solved by:
Azure Active Directory > Properties
Manage security defaults
set Enable security defaults to No

@microc1 

 

CHECK THE SCREENSHOT BELOW MAKE SURE YOU SEARCH FOR THE PROPERTIES.

 

IF YOU DIDN'T CREATED AN AZURE ACCOUNT MAKE SURE YOU SIGN IN WITH YOUR ACCOUNT FACING THAT IS ISSUE. 

 

THE SOLUTION IS TOTALLY FREE DO NOT SIGN UP FOR ANY AZURE PLANS PROVIDED

@microc1 Thanks for your support this helped me to resolve the problem of login for users in my organization. Kind Rgards

Mankay-Sierra Leone West Africa

 
 
 
 

Azure Active Directory Setting.JPG

 
 

 

 

Instructions for setting up Self-Service Password Reset for companies using Azure Active Directory


Step 1 - Create a Security group in Office 365. To do this, go to https://portal.office.com and sign-in with your office 365 Global Administrator account > Select Admin Center.
Step 2 - On the left-Navigation pane, select Groups > Groups

Step 3 - Click on Add a Group. > Choose Security Group from the type drop-down > Give the group a name. Click Add.

Step 4 - Once the security group is created, navigate to the group and click Edit, next to members to add the user as the member of this security group.

Step 5 - Once you add the user as a member of the security group, then from the left navigation pane, expand Admin Centers and click on Azure Active Directory.

Step 6 - From Azure Active Directory Admin Center, choose Azure Active directory from the left menu.
Step 7 - From the Dashboard and option menu in the middle, click on Password Reset.
Step 8 - In the Password Reset properties page, choose Properties and select Selected to select a security group. You can also choose All if you want to enable SSPR for everyone.
Step 9 - Click on the group, then find the Select a Group desired security group from the list and click on select and then finally click on Save. Once saved, Self-Service Password Reset has been enabled for the users in the selected security group in your Office 365/Azure AD tenant, and you're done!
Esta respuesta me salvo la vida, no hallaba ya que más hacer !!
Thanks a lot for the screen shot, I was having a hard time finding the exact location!

Just pointing out that MS put those defaults there for a reason. You are disabling many security features instead of finding a solution to your specific issue. Hackers are now able to password spray your Exchange Online using IMAP / POP3 etc, among other things. Here's how to do it without undermining the security of the tenant:
1. Add any external IPs of the locations they will send from to Trusted IPs under MFA settings. In most cases you would do this for all company owned office locations. https://account.activedirectory.windowsazure.com/UserManagement/MfaSettings.aspx
2. Set Password Reset Registration to No so that new users are not prompted to register.
https://portal.azure.com/#blade/Microsoft_AAD_IAM/PasswordResetMenuBlade/Registration
3. If you need to send SMTP email through Exchange Online (e.g. from a printer), create an account with exchange license to use for sending.
https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview
4. Load Cloud Shell from top of the Azure Portal. Connect to Exchange:
Connect-EXOPSSession
5. Create an Authentication Policy:
New-AuthenticationPolicy -Name "Allow Basic Auth SMTP" -AllowBasicAuthSmtp
6. Assign the policy to the user:
Get-User user@domain.com | Set-User -AuthenticationPolicy "Allow Basic Auth SMTP"
7. Force policy to apply within 30 minutes:
Set-User user@domain.com -STSRefreshTokensValidFrom $([System.DateTime]::UtcNow)

 

Reference:

https://www.howdoiuseacomputer.com/index.php/2021/09/16/do-not-disable-security-defaults/

Thanks, SimBur! I had the issue today, because I thought I'd do my client a favor and enable self password reset, but this seemed to be a side-effect. Really didn't want to disable security defaults, so your post was perfect (I used the link under your #2). It is odd how, by default, they REQUIRE all users to set up authentication methods on first sign-in if self-password reset is enabled, rather than just leave it optional. And then they let that page be buggy. :\