Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Cool enhancements to the Azure AD combined MFA and password reset registration experience
Published Feb 21 2019 09:00 AM 68.9K Views

Howdy folks!

 

Today, I am excited to announce a set of fantastic enhancements—based on your feedback—to the public preview of our combined registration experience for Multi-Factor Authentication (MFA) and self-service password reset (SSPR). This new registration experience enables users to register for MFA and SSPR in a single, step-by-step process. When you deploy the preview experience for your organization, users can register in less time and with fewer hassles. In addition, the new My Profile experience provides users with a more streamlined and easier-to-navigate experience for reviewing and updating their profile info.

 

Keep reading to learn more about these enhancements!

 

Streamlined registration experience

Since we released the combined registration public preview, we received a lot of great feedback from our customers on how to make this experience even better for their users. One of the most common pieces of feedback we received was that the registration experience needs to be even easier, especially on mobile devices. To address this, we streamlined the experience so that users can simply click through each step to register their security info.

 

Now when users are required to register while signing in, they’ll see the following experience:

 

Enhanced step-by-step registration experience.Enhanced step-by-step registration experience.

Once a user completes registration, they’ll see an overview of what they registered to confirm the information is correct and then they’re back to work!

 

Overview of the security info setup by the user.Overview of the security info setup by the user.

To learn more about the enhanced security info registration experience, check out our admin documentation and user documentation.

 

New My Profile experience
When you enable the enhanced security info registration experience for your users, they’ll also have the new My Profile experience, now in public preview. My Profile is the central location where users manage their identity including security info, devices, and more.

 

The new My Profile experience.The new My Profile experience.

From the Security info page, users can easily change their phone number or choose a different default method. From here they can also add, delete, or change a method.

 

Manage security info.Manage security info.

To learn more about the new My Profile experience, check out our documentation.


Try it out!
To enable the enhanced security info registration experience and the new My Profile experience for your users, follow these steps:

 

  • Sign into the Azure portal as a global administrator or user administrator.
  • Browse to Azure Active Directory > User settings > Manage settings for access panel preview features
  • Under Users you can use the preview features for registering and managing security info – refresh, you can choose to enable for a Selected group of users or for All users.

    Enable the enhanced security info registration experience.Enable the enhanced security info registration experience.

Users who are enabled for the old security info registration experience will continue to see that experience until you enable them for the refreshed experience. This means that if you have enabled the non-refreshed experience, you will have the ability to enable and disable that experience.
If a user is enabled for both the old experience and the enhanced experience, they will see the enhanced experience.


As we move forward, we will continue to make improvements and fixes in the enhanced registration experience. If your users are using the old experience, we recommend moving them to the enhanced experience as soon as possible so that they have access to the latest updates.


Please submit your ideas to our feedback forum and we will review and respond to them. You can also let us know what you think in the comments below. As always, we’d love to hear any feedback or suggestions you have.

 

Best Regards, 

 

Alex Simons (@Alex_A_Simons )

Corporate VP of Program Management

Microsoft Identity Division

141 Comments
Brass Contributor

I have tow questions about this enhancement.

1. When this new feature deploy to all tenants officially? If you have schedule(even tentative, not fixed) plan, please let me know.

2. Is it possible to tenant administrator disable this new feature, and keep using old style authentication registration panel?

 

It's important. Because we have a plan to enforce to use MFA to all our users, and currently we are preparing for that,  for example, making user manuals with lot of screen shots.

 

Copper Contributor

Hi everyone,

I am also working on enabling MFA + SSPR for about 10.000 users. The "old" converged experience didn't translate security questions to the browser's local so we skipped that version. The new experience looks even better (already available on all tenants I've checked), looks like you've done a very good job. :)

Unfortunately, it seems to be in English only at the moment. Is there any roadmap for localized versions? That would help us very much for the project.

I'd really prefer using the converged experience instead of the split version, but those are deal breakers since not all users speak English. :\

 

BR

Chris

Iron Contributor

Does this feature depend on a particular version of Office 365? 

 

Is there a dependency on Azure Premium for example?

Copper Contributor

Hi everyone

We were looking to include / allow the office phone, as method for MFA.

Background: not everybody possesses a corporate mobile phone, and is hesitant to disclose the private mobile number, and also don't want to use the App, as this requires Intune enrollment.

Also, for employees never having to access their O365 account from outside the corporate WAN, this would give them an option to "occupy" the second factor, and shutting password phishers / attackers out.

 

In our tenant I realized the office phone number carries over from AAD - but cannot be used as second factor. Are there any plans to allow that? Is it a limitation of the preview version?

 

Deleted
Not applicable

Great improvement, much clearer, and I do like the emphasis on the Authenticator app here. I noticed though whilst playing with a test account that if I chose to not use Authenticator, and used say SMS and email verification, when I next login it gives an error and presents a list of all options to choose from to verify login, even though some are not relevant (ie authenticator).

 

I can then get in with SMS for example, but the option to set a default authentication method is not available when I look at "Security Info". If I add the Authenticator app, the default option turns up, with Authenticator as the default, which I can then change if I wanted to.

Hi, what to do when a particle user receives the message "Oops, it looks like your administrator hasn't enabled this experience for you. Please chose "Continue" to view your profile.". Because we enable both experiences for "All" users in the tenant? Also, when user click "Continue" he has redirected to AAD My Profile page and from there back to this. And he cannot access, change the registered methods even in old experience, because it redirects him to the new one.

 

And, one feedback maybe @Alex Simons (AZURE). You should talk with the Office 365 team and make a single wording for each "profile" and "account" links. Because once account take you to Delve, profile to AAD page, account once to Office 365 setup, profile to different AAD page. Really confusing for users. But definitely great progress to a better experience with MFA/SSPR with these efforts. I hope to soon try FIDO2 natively in AAD and Windows 10.

 

PS: When the admin reset MFA for user and user go to portal, it fail completely.

Error_SSPR_MFA.png

Microsoft

@TakuyaHirose 

  1. Are you asking when this will no longer be opt-in and be the default experience for all tenants? 
  2. Yes, this is an opt-in experience right now, so you only need to use it if you choose to enable it.

Feel free to shoot me a direct message and we can discuss further. Thanks!

Microsoft

@ChristianMueller the experience should localize depending on your browser locale. If that's not the case for you, please send me a direct message and we'll look into it. Thanks!

Microsoft

@Chris Yue no, there aren't any dependencies on an O365 version. The licensing requirements are not around registration but the features themselves. MFA and SSPR have specific licensing requirements and if you meet those, your users can register security information. Feel free to shoot me a direct message if you'd like to discuss further. 

Microsoft

@Markus Strickler Office phone can be used for MFA if you have phone call enabled as an MFA method. Feel free to shoot me a message and I'm happy to dig into this further with you. 

Microsoft

@Deleted it sounds like you may have found a bug. I will look into this with my team right away and reach out if we need more details. 

Microsoft

@Petr Vlk it sounds like you may have found a bug. Can you send me a direct message with more details and my team and I will look into it?

 

I also understand and agree with your concerns around confusion with profile/account pages. We're working on making this more simple for users - keep an eye out for future improvements!

Copper Contributor

We have been testing the enrollment of MFA and SSPR and ran into an issue we were hoping you could help with.

When using the preview of the converged MFA/SSPR enrollment (and now "enhanced security info registration experience") during setup we noticed if you select to use the Authenticator app you are never required to add an alternate SMS number to be used in the event you lost the authenticator app. (The process exists in the current “non-converged” release and can be seen during the enrollment of MFA)

 

  • Any plans to add the backup “Recovery” method during enrollment of the authenticator app?
  • Is there a plan to allow users to enroll in more than one MFA option during time of enrollment?
Microsoft

@Pete Snell great question! We've moved away from the backup phone number, but we're working on giving admins more control around which methods a user is required to register and how many. Those controls will allow you to require a phone number in addition to the Microsoft Authenticator app. 

Copper Contributor

@Sadie Henry Thanks for the quick reply. Are the controls that would allow me to require a phone number in addition to the Authenticator app during enrollment available today, or is this on the road map?

 

I can somewhat require more then one method during enrollment by playing with the SSPR methods, but doing this would make users have to use two methods for resetting a password (which often times would be the same device if talking about Authenticator app and sms)

Microsoft

@Pete Snell they're not available today but we are working on it. And yes, requiring two methods for SSPR is a great way to do this!

Copper Contributor

@Petr Vlk we had a user the received the "oops...." message. He was using firefox. I have him open the link in Edge (which also required him to enter his credentials vs cached) and it worked as expected. HTH, Neale 

@neale360: Hi, this user is using Google Chrome as primary, but we also instruct to try Edge without success. We tried with adding sites as Trusted as recommended by Microsoft. But little bit unfortunate, that this should be easily available not only to COPE/COSU but also to BYOD devices which does not have such settings or using third party browsers sometimes. We sometimes hear that also Conditional Access policies working only for some browsers, but this is different story.

Copper Contributor

When opening aka.ms/setupsecurityinfo directly from a Mobile Safari (iOS 12.1.4), the session times out after +/- 10 seconds. (Your session has timed out). Clicking 'Sign in' on that timeout message doesn't take me back in, but shows the 'Oops, it looks like your Administrator hasn't enabled this experience for you...' warning bar, then takes me to the old experience - even if I was on the new experience just seconds ago?

Microsoft

@neale360/@Petr Vlk/@Markus Strickler - thanks for alerting us to this. We are looking into these issues now.

 

 

Copper Contributor

Good stuff, I've had some positive comments from customers that had been testing out preview #1 of this capability. It's also great to see a preview of using the Microsoft Authenticator app as an auth method for SSPR given how popular that method is for MFA.

 

As is often the case with previews, however, I'm finding that some customers are now holding off on deploying SSPR as this new experience may be just around the corner - do we have an ETA on GA?

Microsoft

@Ben Athawes, that's great to hear! I'm glad customers are liking the new experience. I don't have a GA date that I can share at this point but feel free to reach out to me directly and we can discuss further. 

Copper Contributor

Great upgrade! Far more user friendly.
Only 1 little bug:
When an user opens an Office App (Outlook) and need to register for MFA and SSPR in the new registration Experience. The browser kiosk window is square, but the wizard is rectangular. 

Because if this, the Next buttons aren't visible without scrolling to the right site or manually make the window bigger.

Microsoft

@Lennard Kuijten  glad to hear it! We will look into the browser kiosk issue right away. Thanks for alerting us!

Copper Contributor

We find the new onboarding process a big improvement. I see others have reported that localized version is not avaliable, and can confirm that English UI is displayed on Norwegian language set Browsers. We are onboarding a lot of new users the next weeks and would like to use the new experience, but have to opt out due to missing localized version.

 

When will localized versions be available?

 

Regards

Geir

Microsoft

Hi Geir - the pages are localized but we respect localization settings in the browser in a specific order. Can you send me a direct message and we can look into what's going on with your users?

Copper Contributor

Will it be possible to turn off the "I want to use a different authenticator app" option displayed on the "Keep your account secure" screen? A couple of clients have asked me about this because they'd like to drive adoption of the Microsoft Authenticator app.

Microsoft

Ben - that option is shown if Mobile app code is enabled since you can register any OATH-capable authenticator app using the QR code. However, I'll look into the possibility of removing that link. Thank you for the feedback!

Hi @Sadie Henry - any chance of adding the ability to press Enter on the keyboard and have this move onto the next step - the current experience of the refreshed refresh! is that you need to click Next to move on.

 

Same for the telephone number STD codes - you have to use a mouse, you cannot just type and have the correct value selected - for example, UK, +44, I need to scroll down (even though the user I am logged in with is "region GB in Azure AD" it defaults to +1 for USA for the STD phone code and I cannot just type +44 (ideally, default to the STD code region for the user please)

Microsoft

Hi Brian - yes, we will be adding the ability to navigate through the experience with tab/enter. We are also adding country names to the country code drop down to help with easier navigation. We don't have plans to default to a code based on your locale, but I will look into this. Thanks for your feedback!

Brass Contributor

Is there any plan in the future to include any MFA feature parody in GCC high?  We leverage two environments at my company, and these feature would be great for our GCC high setup which it looks like isn't supported for MFA.

Copper Contributor

We are experiencing several users that are being prompted to "provide additional information" who already had setup their MFA via this same link less than 2 weeks ago.  What's going on that they are need to go thru the setup again?  Most had opted for the authenticator app the first time around, and even though they still have it active, it will not accept the "Approve" link. They are having to select the phone option (calls and enter #), but I just had one this morning that had configured the call with #. They were forced to setup up the same method again (call #). 

 

Please advise...

@Sadie Henry - is the questions and answers for password reset coming to this new experience, or should that be turned on under the self service password reset options?

Microsoft

@bbhorrigan I'm not sure on bringing MFA capabilities to GCC high but I will look into it.

 

@neale360 can you send me a direct message with more details? It would be great to understand what your MFA and SSPR policies are.

 

@Brian Reid yes - SQSA is part of the new experience and is enabled through SSPR. However, if you're testing with an admin account, you won't have access to SQSA since they're not available for admins. 

Brass Contributor

Hi @Sadie Henry,

just yesterday I went and enabled this new experience.  It worked great for the first user I tested.  Now today, it's stopped working for every other user we test.  Instead of getting the screen that is shown in the first picture in this post, we now get the following screen.  I have also included a picture of how the settings are configured in Azure AD (note I've tried both settings and neither produce the correct result).  I'd appreciate any help you can give us as we are looking to roll this out to about 100 of our users as soon as this is resolved.  Thanks!

MFA Error.pngmfa settings.png

 

Microsoft

@ITPro44 can you send me a direct message with more details? we'll look into this :)

Copper Contributor

@Sadie Henry With the current approach, we were able to have the users leverage ONLY the Authenticator challenge codes, no app notifications.  Now, it looks like the new preview forces the user to use App notifications instead of the OTP challenge code?  Unless they change it to use a different authenticator app?

Copper Contributor

@Sadie Henry When we turned this feature on for a larger group, we had multiple reports of "An unexpected error has occurred" which prevented individuals from viewing or adding registration methods.  We have now limited the feature to just a handful of users and can reproduce the error whenever we use the Safari browser.   Any suggestions?   Should we just wait it out a bit more?

Copper Contributor

@Sadie Henry  Thanks for this great improvement, we have just one little side note.

The localized experience NL / Dutch for us, still gives us one line of text in English (see screenshot). 

Hopefully you can fix that, thanks in advanced.

 

SSPR_NL_VS_ENG.png

Steel Contributor

We have enabled the new public preview (the refresh) for All users now instead of just a group and are producing Quickstart/step-by-step instructions for our users.

 

@Sadie Henry 1. is the plan to keep https://aka.ms/setupsecurityinfo or should we rather direct all users to https://myprofile.microsoft.com and then clicking Security info? 2. Is the plan to change so that clicking your profile picture/avatar in the top right > My account will get you to this new portal as well once we go GA?

 

Just so we get our instructions correct now and also change them once it goes GA.

Microsoft

@Andy-H when the user registers with notification, they also register for code. We streamlined the experience (based on feedback and usability testing) to register via notification since it's the easiest option. 

 

@Matthew Adkins can you shoot me a direct message? I'd like to get a trace of the issue if possible.

 

@niels haaijer thanks for letting me know! We'll fix this :)

Microsoft

@Jonas Back You can direct users to any of those areas and they will be redirected if needed. They can also go directly to aka.ms/mysecurityinfo. 

 

Thanks!

Sadie

Copper Contributor

@Sadie HenryThanks Sadie.  Was bit alarmed at first, as we explicitly chose just 'Verification code from mobile app or hardware token.'  And this behavior differed from the original/current experience.

Microsoft

@Andy-H do you have notifications enabled anywhere else? For SSPR? If not, then they shouldn't be able to register with notification. 

Copper Contributor

@Sadie Henry We don't have SSPR enabled.  And don't have notifications enabled elsewhere.  Just the verification code.

Microsoft

@Andy-H ok please shoot me a DM and we'll look into it. 

Copper Contributor

@Sadie Henry We enabled this combined SSPR signup for all users and have the Password Reset functionality limited to a user group to limit the audience and so far works quite well.

 

We have run into the same issue as @Petr Vlk with the ‘An unexpected error has occurred’ page being displayed to any user using IE11 with protected mode in IE disabled (someone decided that we should trust *.microsoft.com instead of just specific sub-sites...). Enabling protected mode on trusted sites (for testing) or removing microsoft.com from the trusted sites list resolved the issue.

image001.png

 

I should mention that it does work well on Chrome, Firefox, Edge or IE in Private mode though.

Copper Contributor

Is there a way to control first time MFA registration with conditional access with this new functionality?  Specifically, we'd like to limit MFA first time signup to only users on Trusted Networks.  

Microsoft

@Mark Corneglio not yet, but we're working on it!

Steel Contributor

@Sadie Henry Here's some small bugs I'll try to explain.

 

In this testing I just did, it was on Windows 10 1809 and Chrome (73.0.3683.103) 64-bit but see the same behavior on Edge. We are using Azure AD Connect with PHS and SSO and have everything properly setup on the clients since SSO in general works for all Office 365 workloads. These are also testusers which I use to go back and forth between MFA methods so this might complicate the scenarios. 

 

I agree these are all small bugs but all of them add up to the general experience of the new MFA setup which we are trying to sell to the customers and we really want to use the new experience since it's so much better and user friendly in general.

 

1. I often direct my users to aka.ms/setupsecurityinfo and sometimes you don't get SSO but instead reach a login page. But the next time they try, they get SSO. Sure, it works if they login but still, would be nice with consistent behavior.

 

setupsecurityinfo.png

2. We also see some strange behaviours in general adding/removing method during our testing.

 

For example, one of my test users did not have MFA setup according to PowerShell:

mfa-nomethods.png

But still, aka.ms/setupsecurityinfo showed Phone and the mobile number. I then added Microsoft Authenticator app and it gets added to the list. The Phone is still there but I can't choose it as a default method:

mfamethod_missing.png

Also PowerShell shows only two methods available:

method_missing2.png

I suspect this has something to do with confirming the phone number. But how do I confirm it? I had to press "Change" but leave the number as-is (since it was correct) and then Next to confirm it. After that I could choose it as the default method and it's also showing up in PowerShell.

 

3. Also, notice the small bug when I added the Microsoft Authenticator. It's listed twice initially... Reloading the page next time removed the invalid one without a name. I only have on Authenticator install on one phone.

mfamethod_missing-duplicate.png

 

4. I then deleted all methods:

mfamethod_deleted.png

But still, PowerShell showed methods:

method_missing2.png

Tried to login externally and I get an error message

mfa-error.png

Pressing the two choices for the app does nothing but I could send a text message.

 

5. We have also noticed when successfully scanning the QR code for adding, the spinning wheel just stays there forever. Forcing the Authenticator app checking for notifications says "No notifications found". This forces the user to abort and restart the process and this time it might work. Don't know if this is something temporary right now during my testing but it would be great with some kind of "timeout" here and if the wizard fails, instruct the user what to do.

mfa-forever.png

Version history
Last update:
‎Jul 24 2020 01:44 AM
Updated by: