self service password reset - restrict access

Highlighted
Contributor

The SSPR Deployment Plan
aka.ms/deploymentplans
has cases for SSPR portal being accessible from within & outside the corporate network (with option for corporate & personal devices) - suggests conditional access or similar is available for SSPR but no obvious cloud app or setting to configure against.

Can anyone advise if access to SSPR portal (I assume this is the reset at https://aka.ms/sspr) can be restricted e.g. based upon devices, named locations etc.

5 Replies
Highlighted
Hi Chris.

let me see if i understood you question.
Do you want to use SSPR based on the device ?

If this is the question, i think that SSPR doesn't have this funtionallity yet.
But let me know more about this case, what are thinking to do?

Thanks, bye.


Highlighted

@RodNet I think the deployment plan is possibly focusing on scenarios for on-prem password reset and giving the impression that access to SSPR portal itself can be controlled e.g. by managed devices or as it mentions the corporate network, maybe named locations. 

 

I'm in a cloud only scenario, as I am using the plan I need to be sure if there is an option or not to restrict apply any granular restrictions to the password reset screen as the plan potentially implies. 

 

Highlighted

@Chris Johnston

 

Good, i'm trying to simulate  in my lab envionment. 

But, i said that you need to restrict in a granular maner, did you try to setup SSPR just for the pilot group users?

 

Soon as possible I'll say what i found on my labs.

 

 

Highlighted

Hi @Chris Johnston 

 

By using condional access you could setup a policy where users must meet the requirements to acess the myapps portal, where the link to the reset password will be available for users, and for devices if you are using password Write-Back, I think that using like this if your users do not meet the requirements they i'll can't do the password Reset.

 

Setting configurations like trusted locations on Named Locations on conditional acess, can help you set the region or ip address range will have acess to portal and how this password reset will be there, the user must meet the requirements. Sorry but, i can see just this away, correct me if i'm wrong and let's learn together.

 

That is it, hope it helps you.


Bye! =D

Highlighted

@RodNet thanks for all you efforts looking into this, its much appreciated. I have spoken to Microsoft support who have confirmed the following:

Azure SSPR( https://aka.ms/sspr) cannot be restricted based on devices or named locations in conditional access policy.

Conditional access policy would work only for Applications.

If we have a Third party SSPR configured as a relying party in ADFS, then we can apply claims over the access restrictions for SSPR.

 

So for my scenario which is SSPR in Azure for cloud-only identities, restrictions can't be applied so looks like the users will be able to register & reset their passwords from any device / location.