Combined SSPR/MFA registration and the least disruptive way to go from one recovery method to two

%3CLINGO-SUB%20id%3D%22lingo-sub-1109963%22%20slang%3D%22en-US%22%3ECombined%20SSPR%2FMFA%20registration%20and%20the%20least%20disruptive%20way%20to%20go%20from%20one%20recovery%20method%20to%20two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1109963%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EHave%20you%20seen%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-registration-mfa-sspr-combined%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ECombined%20Registration%20for%20SSPR%2FMFA%3F%3C%2FA%3E%26nbsp%3BIt's%20really%20quite%20lovely.%20My%20favorite%20thing%20about%20it%20is%20you%20can%20have%20the%20registration%20wizard%20prompt%20the%20user%20to%20download%20and%20configure%20the%20Microsoft%20Authenticator%20App%20as%20their%20default%20MFA%20method!%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThe%20old%20MFA%20registration%20defaults%20to%20SMS%20and%20you%20have%20to%20somehow%20convince%20users%20to%20dig%20through%20their%20account%20settings%20to%20set%20up%20the%20auth%20app.%20Many%20of%20our%20folks%20didn't%20do%20it%20and%20lost%20access%20when%20they%20traveled%20overseas%20where%20SMS%20was%20not%20available%2Fturned%20off.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThere's%20one%20sticky%20little%20issue...%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EIn%20order%20to%20use%20Microsoft%20Authenticator%20as%20an%20SSPR%20recovery%20method%20you%20must%20require%20two%20recovery%20methods%20in%20your%20tenant.%20We've%20already%20got%206500%20users%2C%20in%20dozens%20of%20countries%2C%20speaking%20several%20languages%20using%20SSPR%20with%20one%20recovery%20method.%20When%20I%20update%20our%20tenant%20to%20require%20two%20methods%2C%20none%20of%20the%20users%20with%20one%20method%20can%20reset%2Frecover%20their%20accounts%20until%20they've%20registered%20a%20second%20method.%26nbsp%3BInstead%2C%20when%20they%20%3CSPAN%3Eclick%20forgot%20password%20and%20enter%20the%20captcha%20they%20get%20an%20error%20screen%20that%20say%2C%20'You%20can't%20reset%20your%20own%20password%20because%20the%20password%20reset%20isn't%20turned%20on%20for%20your%20account.'%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EWe%E2%80%99ve%20been%20spit-balling%20ideas%20from%20just%20letting%20it%20break%20(they%20can%20work%20with%20their%20office%20IT%20admins%20when%20it%20does)%2C%20to%20doing%20a%20campaign%20to%20populate%20two%20methods%20before%20the%20MFA%20campaign%2C%20to%20populating%20a%20second%20recovery%20method%20with%20dummy%20data%20(an%20unmonitored%20email%20account%20or%20phone%20number).%20We%20don%E2%80%99t%20really%20like%20anything%20we%E2%80%99ve%20thought%20of%20yet.%20Have%20you%20run%20into%20this%3F%20Were%20you%20able%20to%20come%20up%20with%20a%20non-intrusive%20solution%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1109963%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Established Member

Have you seen the Combined Registration for SSPR/MFA? It's really quite lovely. My favorite thing about it is you can have the registration wizard prompt the user to download and configure the Microsoft Authenticator App as their default MFA method!

 

The old MFA registration defaults to SMS and you have to somehow convince users to dig through their account settings to set up the auth app. Many of our folks didn't do it and lost access when they traveled overseas where SMS was not available/turned off. 

 

There's one sticky little issue... 

In order to use Microsoft Authenticator as an SSPR recovery method you must require two recovery methods in your tenant. We've already got 6500 users, in dozens of countries, speaking several languages using SSPR with one recovery method. When I update our tenant to require two methods, none of the users with one method can reset/recover their accounts until they've registered a second method. Instead, when they click forgot password and enter the captcha they get an error screen that say, 'You can't reset your own password because the password reset isn't turned on for your account.'

 

We’ve been spit-balling ideas from just letting it break (they can work with their office IT admins when it does), to doing a campaign to populate two methods before the MFA campaign, to populating a second recovery method with dummy data (an unmonitored email account or phone number). We don’t really like anything we’ve thought of yet. Have you run into this? Were you able to come up with a non-intrusive solution?

0 Replies