SSPR - Disable Phone Call authentication method (SMS ONLY)

%3CLINGO-SUB%20id%3D%22lingo-sub-1298756%22%20slang%3D%22en-US%22%3ERe%3A%20SSPR%20-%20Disable%20Phone%20Call%20authentication%20method%20(SMS%20ONLY)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1298756%22%20slang%3D%22en-US%22%3E%3CP%3EHello%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F546985%22%20target%3D%22_blank%22%3E%40JBergqvist%3C%2FA%3E%26nbsp%3B!%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20cant%20really%20see%20a%20way%20to%20block%20phonecalls%20but%20keep%20SMS%20if%20since%20like%20Microsoft%20said%2C%20this%20is%20by%20design.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20suggest%20that%20you%20remove%20the%20Phonecall%2FSMS%20as%20a%20method%20and%20just%20use%20the%20app%2FVerification%20code%20as%20a%20method.%26nbsp%3B%3C%2FP%3E%3CP%3EOr%20maybe%20poke%20around%20in%20Conditional%20access%20policies%20to%20see%20if%20it's%20possible%20to%20control%20it%20from%20there.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESpoofing%2Fforwardning%20numbers%20is%20a%20big%20issue%20really%2C%20but%20hard%20to%20protect%20against.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOne%20security%20setting%20we've%20done%20is%20to%20only%20allow%20SSPR%20and%20MFA%20registration%20from%20inside%20our%20country%2C%20this%20to%20avoide%20spoofed%2Fforwarded%20numbers%20etc.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20this%20helps.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20RegardsOliwer%20Sj%C3%B6berg%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1278422%22%20slang%3D%22en-US%22%3ESSPR%20-%20Disable%20Phone%20Call%20authentication%20method%20(SMS%20ONLY)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1278422%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20folks!%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EIm%20working%20with%20a%20big%20client%20where%20we%20are%20rolling%20out%20SSPR%20combined%20experience%20where%20we%20in%20a%20few%20weeks%20are%20planning%20to%20enforce%20registration%20with%20a%20minimum%20of%202%20authentication%20methods%20(APP%20and%20Phone).%3CBR%20%2F%3E%3CBR%20%2F%3EIn%20the%20MFA%20settings%20we%20are%20able%20to%20disable%20phone%20call%20as%20a%20authentication%20method.%3CBR%20%2F%3EBut%20when%20using%20SSPR%20this%20option%20is%20not%20longer%20viable.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20have%20been%20in%20contact%20with%20Microsoft%20and%20got%20the%20reply%20that%20this%20feature%20cant%20be%20disabled%20for%20SSPR%2C%20only%20for%20MFA%2C%20and%20that%20this%20is%20by%20design.%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20are%20worried%20of%20the%20potential%20security%20threat%20in%20that%20a%20redirection%2Fforward%20of%20a%20phone%20number%20to%20an%20imposter%20phone%20number%20could%20be%20a%20way%20in%20to%20our%20environment.%3CBR%20%2F%3E%3CBR%20%2F%3EDo%20anyone%20have%20any%20idea%20of%20how%20to%3CBR%20%2F%3E*%20disable%20phone%20calls%20when%20authenticating%20against%20the%20sspr%20feature%20(but%20keep%20sms)%3CBR%20%2F%3E*%20whats%20your%20take%20or%20thoughts%20of%20the%20potential%20risk%2Fthreat%20of%20someone%20forwarding%20phonecalls%20through%20the%20users%20phone-operator%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20for%20your%20help!%3CBR%20%2F%3E%3CBR%20%2F%3EKind%20regards%20Johan%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1278422%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

Hi folks!

Im working with a big client where we are rolling out SSPR combined experience where we in a few weeks are planning to enforce registration with a minimum of 2 authentication methods (APP and Phone).

In the MFA settings we are able to disable phone call as a authentication method.
But when using SSPR this option is not longer viable. 

We have been in contact with Microsoft and got the reply that this feature cant be disabled for SSPR, only for MFA, and that this is by design.

We are worried of the potential security threat in that a redirection/forward of a phone number to an imposter phone number could be a way in to our environment.

Do anyone have any idea of how to
* disable phone calls when authenticating against the sspr feature (but keep sms)
* whats your take or thoughts of the potential risk/threat of someone forwarding phonecalls through the users phone-operator?

 

Thank you for your help!

Kind regards Johan

1 Reply

Hello@JBergqvist ! 

 

I cant really see a way to block phonecalls but keep SMS if since like Microsoft said, this is by design. 

 

I would suggest that you remove the Phonecall/SMS as a method and just use the app/Verification code as a method. 

Or maybe poke around in Conditional access policies to see if it's possible to control it from there. 

 

Spoofing/forwardning numbers is a big issue really, but hard to protect against. 

 

One security setting we've done is to only allow SSPR and MFA registration from inside our country, this to avoide spoofed/forwarded numbers etc. 

 

Hope this helps.

 

Kind Regards
Oliwer Sjöberg