SSPR registration enforcement with Combined Registration Enabled

%3CLINGO-SUB%20id%3D%22lingo-sub-1336618%22%20slang%3D%22en-US%22%3ESSPR%20registration%20enforcement%20with%20Combined%20Registration%20Enabled%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1336618%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EWe%20have%20the%20Combined%20Registration%20for%20MFA%20and%20SSPR%20enabled%20as%20described%20here%2C%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-registration-mfa-sspr-combined%2C%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-registration-mfa-sspr-combined%2C%3C%2FA%3E%26nbsp%3Band%20now%20we%20would%20like%20to%20enforce%20SSPR%20%26amp%3B%20MFA%20registration%20through%20the%20SSPR%20setting%20(in%20AAD%20under%20Password%20reset%20%7C%20Registration)%20Require%20users%20to%20register%20when%20signing%20in.%3C%2FP%3E%3CP%3EHowever%20this%20same%20page%20states%20%22%3CSPAN%3ESSPR%20registration%20enforced%3A%20Users%20are%20asked%20to%20register%20during%20sign-in.%20They%20register%20only%20SSPR%20methods.%22%2C%20which%20confuses%20me.%20If%20you%20have%20enabled%20a%20combined%20registration%20experience%20I%20want%20to%20believe%20that%20regardless%20of%20how%20the%20registration%20is%20enforced%20the%20authentication%20methods%20registered%20by%20the%20user%20will%20be%20valid%20for%20both%20MFA%20%26amp%3B%20SSPR.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ECan%20anyone%20positively%20confirm%20that%20with%20Combined%20Registration%20enabled%20AND%20SSPR%20Registration%20enforcement%2C%20the%20authentication%20methods%20registered%20can%20also%20be%20used%20for%20MFA%3F%3CBR%20%2F%3E%3CBR%20%2F%3EThanks!%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1336618%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECombined%20Registration%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESSPR%20registration%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1337204%22%20slang%3D%22en-US%22%3ERe%3A%20SSPR%20registration%20enforcement%20with%20Combined%20Registration%20Enabled%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1337204%22%20slang%3D%22en-US%22%3EI%20was%20not%20aware%20of%20this%20selection.%20We%20usually%20force%20registration%20of%20all%20users%20with%20portal.azure.com%20%26gt%3B%20Azure%20Active%20Directory%20%26gt%3B%20Password%20%26gt%3B%20Registration.%20However%2C%20that%20is%20all%20or%20nothing.%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20also%20often%20use%20Conditional%20Access%20ans%20only%20require%20MFA%20on%20certain%20scenarios%20(like%20external%20access)%20that%20will%20kick%20off%20the%20combined%20MFA%2FSSPR%20registration.%20This%20can%20be%20applied%20to%20a%20group%20so%20you%20only%20force%20a%20few%20users%20at%20a%20time.%3CBR%20%2F%3E%3CBR%20%2F%3EBut%20would%20be%20interesting%20to%20see%20if%20this%20works%20since%20then%20you%20can%20really%20stage%20registration%20for%20a%20few%20users%20at%20a%20time.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1338491%22%20slang%3D%22en-US%22%3ERe%3A%20SSPR%20registration%20enforcement%20with%20Combined%20Registration%20Enabled%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1338491%22%20slang%3D%22en-US%22%3EI%20agree%20on%20the%20MFA%20Registration%20works%20well%20too%2C%20just%20notice%20that%20you%20need%20Azure%20AD%20Premium%20P2%20for%20this.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1337565%22%20slang%3D%22en-US%22%3ERe%3A%20SSPR%20registration%20enforcement%20with%20Combined%20Registration%20Enabled%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1337565%22%20slang%3D%22en-US%22%3EWe%20have%20tested%20the%20registration%20enforcement%20through%20the%20MFA%20Registration%20Policy%2C%20in%20Azure%20AD%2C%20under%20Security-%26gt%3BIdentity%20Protection-%26gt%3BMFA%20Registration%2C%20that%20works%20really%20well.%20You%20can%20target%20it%20at%20specific%20users%20via%20AAD%20groups.%20The%20only%20issue%20for%20us%20is%20that%20by%20default%20it%20gives%20users%20only%2014%20days%20to%20register%2C%20after%20that%20they%20cannot%20skip%20it%20anymore%20and%20are%20forced%20to%20do%20it.%3CBR%20%2F%3EThe%20old%20SSPR%20registration%20enforcement%20actually%20allowed%20people%20to%20continue%20to%20skip%20the%20registration%20indefinitely%2C%20something%20we%20actually%20want.%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi,

We have the Combined Registration for MFA and SSPR enabled as described here,

https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-registration-mfa-sspr... and now we would like to enforce SSPR & MFA registration through the SSPR setting (in AAD under Password reset | Registration) Require users to register when signing in.

However this same page states "SSPR registration enforced: Users are asked to register during sign-in. They register only SSPR methods.", which confuses me. If you have enabled a combined registration experience I want to believe that regardless of how the registration is enforced the authentication methods registered by the user will be valid for both MFA & SSPR.

 

Can anyone positively confirm that with Combined Registration enabled AND SSPR Registration enforcement, the authentication methods registered can also be used for MFA?

Thanks!

3 Replies
Highlighted
I was not aware of this selection. We usually force registration of all users with portal.azure.com > Azure Active Directory > Password > Registration. However, that is all or nothing.

We also often use Conditional Access ans only require MFA on certain scenarios (like external access) that will kick off the combined MFA/SSPR registration. This can be applied to a group so you only force a few users at a time.

But would be interesting to see if this works since then you can really stage registration for a few users at a time.

Highlighted
We have tested the registration enforcement through the MFA Registration Policy, in Azure AD, under Security->Identity Protection->MFA Registration, that works really well. You can target it at specific users via AAD groups. The only issue for us is that by default it gives users only 14 days to register, after that they cannot skip it anymore and are forced to do it.
The old SSPR registration enforcement actually allowed people to continue to skip the registration indefinitely, something we actually want.
Highlighted
I agree on the MFA Registration works well too, just notice that you need Azure AD Premium P2 for this.