SOLVED

CA template - Securing Security info registration

Brass Contributor

Can someone please explain to me how this template secure the process of registration of my users security info?

 

It require MFA if they are not on a trusted location. Ok I get that bit but if the user has not set up MFA they get asked to register. I tested this yesterday on my personal home computer by logging in to our company sharepoint and I was asked to give more information and got taken to the place to set up authentication methods.

 

A user with bad intent that somehow obtain username and password for my users would see the same.

 

I have seen another variation of this where the grant controls was set to block outside trusted networks. but obviously that stops users from registering MFA when outside the company. That's is not good for us either.

 

2 Replies
Hi @RippieUK,

You would indeed require an MFA setup from a trusted location for security reasons, and I agree with this. However, since we are in a scenario where working from home is the standard, it's almost impossible to configure this Conditional Access Policy. Still, I would recommend using this method. You should provide your users the possibility to register from a trusted location, think of delivering registration from a VDI environment, a VPN connection, etc.

You've already mentioned that a user with bad intentions can do the same as what the user could. Pre-populating an MFA method is also possible, there are several methods available to achieve this:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-authenticationdata

https://identity-man.eu/2020/07/08/pre-configure-authentication-methods-for-end-users-in-azure-ad/

Good luck!
best response confirmed by RippieUK (Brass Contributor)
Solution
So I think we have got it sorted, we enabled "Users can use the combined security information registration experience" and then the the securing register security info CA policy now blocks people and they have to use a temporary access password to continue.

So i am all good now 🙂
1 best response

Accepted Solutions
best response confirmed by RippieUK (Brass Contributor)
Solution
So I think we have got it sorted, we enabled "Users can use the combined security information registration experience" and then the the securing register security info CA policy now blocks people and they have to use a temporary access password to continue.

So i am all good now 🙂

View solution in original post