Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

User actions - Register Security Information from unmanaged devices.

Brass Contributor

Hi fellow members 

 

I work in an highly regulated organisation where we DO NOT allow unmanaged devices access to any of our Azure/M365 services. We use both Azure conditional access and tenant restrictions and other methods to secure our environment this way.

 

However we are in the process of enabling Azure virtual desktop (AVD) and we DO want some users to be able to use this from an unmanaged device and only in this scenario.

 

Our tenant is pre August 2020 so currently we still use the old MFA/SSPR workflows, we cannot enable combined registration for all so are using the scoped combined registration in user feature in AAD.

 

We find that since enabling combined registration one of CA policies is blocking access for a user to register their security information either from the legacy workflows or using the combined registration experience.

 

Using the user actions – register security information to allow from all locations also doesn’t seem to work.

 

We cannot make any exceptions or remove the conditional access policy, which BTW prevents unmanaged devices to access. We do have another CA policy which does allow AVD from an unmanaged device but mandates MFA. That works great until we force the user to register SSPR security information.

 

Is anyone aware of any other options that could help address this in this scenario?

 

Many Thanks

2 Replies
A suggestion would be to take a look at the usage of TAP in such scenarios to ensure that registration can take place. Please refer to the troubleshooting guide as well as TAP documentation for more information on this

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-...

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-temporar...
Hi
Yes I have looked at TAP however the administration to set this up is quite over burdening for a very large organisation where every hour we may get many password resets and counteracts the benefit of using combined registration and for the user to self serve.

As far as I know, TAP can only be administered in the portal and as lots of our processes wish to be automated I don't believe TAP is a suitable option for us, correct me if I am wrong though.