I'm discussing enabling Self-service password reset with a customer and they are concerned that someone could reset the password from anywhere. Is it possible to create a conditional access policy that limits the IP addresses that a user can perform a SSPR from?
I know you can limit where the user signs up for SSPR/MFA but I'm wondering how to create a conditional access policy (or something else) that restricts user's to an IP address to perform the SSPR.
Wouldn't it be better increasing the number of authentication methods required for SSPR to improve security? As I am assuming the customer already have the most common conditional access policies activated anyway? (referring to your previous post about top conditional access policies ;)