cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

CA template - Securing Security info registration

RippieUK
Brass Contributor

‎Dec 07 2021 01:12 AM - last edited on ‎Jan 14 2022 03:23 PM by

‎Dec 07 2021 01:12 AM - last edited on ‎Jan 14 2022 03:23 PM by

CA template - Securing Security info registration

Can someone please explain to me how this template secure the process of registration of my users security info?

 

It require MFA if they are not on a trusted location. Ok I get that bit but if the user has not set up MFA they get asked to register. I tested this yesterday on my personal home computer by logging in to our company sharepoint and I was asked to give more information and got taken to the place to set up authentication methods.

 

A user with bad intent that somehow obtain username and password for my users would see the same.

 

I have seen another variation of this where the grant controls was set to block outside trusted networks. but obviously that stops users from registering MFA when outside the company. That's is not good for us either.

 

Preview file
17 KB
3,149 Views
1 Like
2 Replies
Reply
2 Replies
BilalelHadd

‎Dec 07 2021 01:54 AM

‎Dec 07 2021 01:54 AM

Re: CA template - Securing Security info registration

Hi @RippieUK,

You would indeed require an MFA setup from a trusted location for security reasons, and I agree with this. However, since we are in a scenario where working from home is the standard, it's almost impossible to configure this Conditional Access Policy. Still, I would recommend using this method. You should provide your users the possibility to register from a trusted location, think of delivering registration from a VDI environment, a VPN connection, etc.

You've already mentioned that a user with bad intentions can do the same as what the user could. Pre-populating an MFA method is also possible, there are several methods available to achieve this:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-authenticationdata

https://identity-man.eu/2020/07/08/pre-configure-authentication-methods-for-end-users-in-azure-ad/

Good luck!
1 Like
Reply
best response confirmed by RippieUK (Brass Contributor)
RippieUK

‎Dec 07 2021 08:40 AM

‎Dec 07 2021 08:40 AM

Solution

Re: CA template - Securing Security info registration

So I think we have got it sorted, we enabled "Users can use the combined security information registration experience" and then the the securing register security info CA policy now blocks people and they have to use a temporary access password to continue.

So i am all good now :)
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by RippieUK (Brass Contributor)
RippieUK

‎Dec 07 2021 08:40 AM

‎Dec 07 2021 08:40 AM

Solution

Re: CA template - Securing Security info registration

So I think we have got it sorted, we enabled "Users can use the combined security information registration experience" and then the the securing register security info CA policy now blocks people and they have to use a temporary access password to continue.

So i am all good now :)

View solution in original post

0 Likes
Reply