I am looking for some pointers on a question I have on SSPR forced registration.
Over 100,000 employees, global organisation. Due to a technical and political issue around MFA forced registration we have not enabled the Combined Reg feature but we wish to use forced SSPR. We have about a 50/50 split of users on Win7 or Mac devices and Windows 10 and there already a migration in place to migrate users but the sheer size means this is taking some time. Due to legacy requirements a sizeable number of users won't be able to use SSPR due to use of Win7/MacOS devices so these are out of scope. We have tried using the approach where users can self register but the uptake has been low and so our intention is to enable the force registration in SSPR but stage this deployment over a period of weeks/months.
The issue is in the current config of SSPR a dynamic Azure AD group is in place and due to the number of domains the plan is to create a master AAD static group and add nested synced AD groups into this master AAD group. However we don't want existing users (approx. 20,000 registered users) to not be affected by the group changes.
We use a tool called migration studio (MigrationStudio) as our source of truth for data and so the intention is to extract information from a variety of sources to determine who is in scope to be included in the respective nested groups for SSPR forced registration. We can leverage the graph API (credentialUserRegistrationDetails resource type - Microsoft Graph beta | Microsoft Docs) and so can understand who is currently registered for the service. We will use this data to populated those nested group and then make the change on the SSPR group configuration so existing users can continue to use SSPR and they don't need to re-register.
My question is understanding and confirming whether the data from credentialUserRegistrationDetails is enough to ensure we capture all the correct users from the export we perform from migration studio. There are other criteria we need to consider e.g. exclude Windows 7/Mac users which we collate. We also considered excluding service accounts and other operational accounts not suited for SSPR
Would there be anything else we would need to consider with us doing a staged approach?