Prevent SSPR Outside Company Network

%3CLINGO-SUB%20id%3D%22lingo-sub-1237584%22%20slang%3D%22en-US%22%3EPrevent%20SSPR%20Outside%20Company%20Network%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1237584%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20possible%20to%20restrict%20SSPR%20to%20when%20users%20are%20on-site%20%2F%20company%20LAN.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20know%20there%20is%20the%26nbsp%3B%3CSPAN%20class%3D%22lia-message-unread%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory-identity%2Fconditional-access-for-the-azure-ad-combined-mfa-and-password%2Fba-p%2F566348%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Ecombined%20MFA%20and%20password%20reset%20registration%20Conditional%20Access%20but%20this%20seems%20for%20SSPR%20%2F%20MFA%20Registration%20only.%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-message-unread%22%3EInfo%20appreciated%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1237584%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1237590%22%20slang%3D%22en-US%22%3ERe%3A%20Prevent%20SSPR%20Outside%20Company%20Network%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1237590%22%20slang%3D%22en-US%22%3EHi%20there%20Stuart!%3CBR%20%2F%3E%3CBR%20%2F%3EThere%20is%20no%20other%20way%20than%20enabling%20combined%20registration%20and%20doing%20it%20the%20way%20you%20linked.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1237803%22%20slang%3D%22en-US%22%3ERe%3A%20Prevent%20SSPR%20Outside%20Company%20Network%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1237803%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHmmm%2C%20not%20great.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20about%20revoking%20MFA%20sessions%20for%20user%3F%20That%20would%20force%20them%20to%20re-register%20for%20MFA%20onsite%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20similar%20solution%20for%20passwords%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1243534%22%20slang%3D%22en-US%22%3ERe%3A%20Prevent%20SSPR%20Outside%20Company%20Network%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1243534%22%20slang%3D%22en-US%22%3EIt's%20not%20possible%20natively%20through%20AAD.%20You%20could%20create%20some%20custom%20Graph%20API%20script%2C%20but%20even%20that%20won't%20fully%20solve%20your%20issue.%3C%2FLINGO-BODY%3E
Highlighted
Regular Contributor

Hi All

 

Is it possible to restrict SSPR to when users are on-site / company LAN.

 

I know there is the combined MFA and password reset registration Conditional Access but this seems for SSPR / MFA Regist...

 

Info appreciated

3 Replies
Highlighted
Hi there Stuart!

There is no other way than enabling combined registration and doing it the way you linked.
Highlighted

@Thijs Lecomte 

 

Hmmm, not great.

 

How about revoking MFA sessions for user? That would force them to re-register for MFA onsite?

 

Any similar solution for passwords?

 

Regards

 

 

Highlighted
It's not possible natively through AAD. You could create some custom Graph API script, but even that won't fully solve your issue.