Apr 30 2019 08:54 AM
Apr 30 2019 08:54 AM
The SSPR Deployment Plan
has cases for SSPR portal being accessible from within & outside the corporate network (with option for corporate & personal devices) - suggests conditional access or similar is available for SSPR but no obvious cloud app or setting to configure against.
Can anyone advise if access to SSPR portal (I assume this is the reset at https://aka.ms/sspr) can be restricted e.g. based upon devices, named locations etc.
Apr 30 2019 09:38 AM
Apr 30 2019 09:51 AM
@RodNet I think the deployment plan is possibly focusing on scenarios for on-prem password reset and giving the impression that access to SSPR portal itself can be controlled e.g. by managed devices or as it mentions the corporate network, maybe named locations.
I'm in a cloud only scenario, as I am using the plan I need to be sure if there is an option or not to restrict apply any granular restrictions to the password reset screen as the plan potentially implies.
Apr 30 2019 11:26 AM
Good, i'm trying to simulate in my lab envionment.
But, i said that you need to restrict in a granular maner, did you try to setup SSPR just for the pilot group users?
Soon as possible I'll say what i found on my labs.
Apr 30 2019 12:27 PM
By using condional access you could setup a policy where users must meet the requirements to acess the myapps portal, where the link to the reset password will be available for users, and for devices if you are using password Write-Back, I think that using like this if your users do not meet the requirements they i'll can't do the password Reset.
Setting configurations like trusted locations on Named Locations on conditional acess, can help you set the region or ip address range will have acess to portal and how this password reset will be there, the user must meet the requirements. Sorry but, i can see just this away, correct me if i'm wrong and let's learn together.
That is it, hope it helps you.
May 01 2019 09:18 AM
@RodNet thanks for all you efforts looking into this, its much appreciated. I have spoken to Microsoft support who have confirmed the following:
Azure SSPR( https://aka.ms/sspr) cannot be restricted based on devices or named locations in conditional access policy.
Conditional access policy would work only for Applications.
If we have a Third party SSPR configured as a relying party in ADFS, then we can apply claims over the access restrictions for SSPR.
So for my scenario which is SSPR in Azure for cloud-only identities, restrictions can't be applied so looks like the users will be able to register & reset their passwords from any device / location.