Feb 02 2021 07:05 PM
Feb 02 2021 07:05 PM
I'm getting the dreaded more information required when our users sign into partner tenants. Note, this is a client tenant so I'm hesitant to ask them what is going on....seems odd.
We have MFA enforced, and conditional access policies, but when we sign into resources in their tenant it is requiring MFA? I don't understand why we can't use the original MFA setup.
Note, we do not use default security policies in our tenant, do not allow password changes via OWA, etc. either.
Feb 02 2021 11:53 PM
This is not necessarily MFA related, might simply be the SSPR registration flow. In any case, best complete it.
Feb 03 2021 03:08 AM
Hi @meggerz , good morning.
You can avoid this configuring Security groups on SSPR for the users you want to secure. I recommend give all users the possibility to change their own password from Office 365. If you are using Azure AD Connect and write-back options, this can update their passwords on-premises as well and works really well.
You can find more info here. https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks
I hope this can help you.
Feb 04 2021 12:14 PM
I should have mentioned the second screen it brings us to.... See attached.
I wanted to run through it further today but got a new error - we were flat out denied. I'm wondering if it is conditional access on their end.
Regardless, I'd like to understand how using SSPR is really applicable to this? Is it that they may be requiring a password reset via conditional access to their tenant upon first access? I read it can also be that default security settings are not enabled. I do not have them on my tenant, but is it possible they are enabled on the client tenant?
I'm super hesitant to turn on SSPR and default security settings.
Feb 05 2021 07:30 AM
Hi @meggerz !
Well, the screenshot is the option to configure MFA. You have a couple of options here, like TEXT or Calls. Also you can deploy Hardware Tokens.
From the MFA configuration options in Azure AD you can enforce what method you want to user within your organisation.
SSPR will allow the users to change their passwords from Office, but they need to meet with at least 2 requirementes: MFA configured and an external email address (not company address). With this 2 options the users can change the pasword themselves.
Here you have info about MFA options_Configure Azure AD Multi-Factor Authentication - Azure Active Directory | Microsoft Docs
Here you have more info about SSPR_ Self-service password reset deep dive - Azure Active Directory | Microsoft Docs
I hope this can help.