Howdy folks,
More and more organizations are using Multi-Factor Authentication (MFA) to protect their access and self-service password reset (SSPR) to reduce support costs and empower their users to manage their credential recovery. Our internal studies show that customers can cut their risk of account compromise by 99% by enabling MFA, so we’re REALLY happy to see this growing trend.
With this increasing usage, we also heard loud and clear that you want to control the conditions in which security sensitive MFA or SSPR information can be registered. This helps ensure it’s the right user—not an attacker—registering this security sensitive info.
Some common restrictions you requested include ensuring that:
We heard you loud and clear!
Today, I am excited to announce the public preview of Azure AD conditional access for our combined registration experience for MFA and SSPR. Many of our largest customers have already been using this while it was in private preview to simplify rolling out MFA and SSPR and we’re looking forward to making it more broadly available as part of Azure AD Premium P1 subscription.
Here are some instructions to try this out!
Getting started
First, create a policy to block registration for users that are not on the corporate network, but are still allowed to manage credentials from anywhere, as long as they can use MFA.
Next, make sure that all users you want to apply this policy to are part of the MFA and SSPR preview. This is required because users not on the preview will use the older security information page and the policy will not be enforced.
Steps for setting up policy
Set the Locations. Include Any location; exclude all trusted networks.
Now, if a user is outside of a trusted network and attempts to register MFA for the first time, they’re blocked and shown the following message:
As soon as they register MFA, they’ll be able to manage MFA and SSPR registration details from anywhere.
Go ahead and give it try today!
See our Azure AD conditional access documentation for additional information. We’d also love to hear your feedback. If you have a couple minutes please consider filling out our survey. You know we’re listening!
Best regards,
Alex Simons (Twitter: @Alex_A_Simons)
Vice President of Program Management
Microsoft Identity Division
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.