SOLVED

Allow SSPR only from Azure Joined Windows Devices

%3CLINGO-SUB%20id%3D%22lingo-sub-3302001%22%20slang%3D%22en-US%22%3EAllow%20SSPR%20only%20from%20Azure%20Joined%20Windows%20Devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3302001%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20everyone%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20want%20to%20use%20SSPR%20only%20from%20specific%20devices.%20I%20don't%20talk%20about%20registration.%3C%2FP%3E%3CP%3EThe%20point%20is%20to%20use%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-sspr-windows%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ethis%20link%3C%2FA%3E%26nbsp%3Band%20deny%20SSPR%20from%20devices%20by%20using%20conditional%20access.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20ideas%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERahamim.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3302001%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Intune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMultifactor%20Authentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPasswordless%20Authentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3302047%22%20slang%3D%22en-US%22%3ERe%3A%20Allow%20SSPR%20only%20from%20Azure%20Joined%20Windows%20Devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3302047%22%20slang%3D%22en-US%22%3EDon't%20think%20this%20functionality%20exists%20at%20the%20moment.%20At%20best%20you%20can%20restrict%20registration%20to%20a%20known%20location%20using%20CA%2C%20but%20that's%20about%20it.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3302032%22%20slang%3D%22en-US%22%3ERe%3A%20Allow%20SSPR%20only%20from%20Azure%20Joined%20Windows%20Devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3302032%22%20slang%3D%22en-US%22%3EI%20want%20to%20allow%20users%20to%20reset%20their%20password%20from%20their%20Azure%20joined%20computers%20only.%20Not%20from%20a%20smart%20phone%20or%20a%20non%20Azure%20joined%20devices.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3302029%22%20slang%3D%22en-US%22%3ERe%3A%20Allow%20SSPR%20only%20from%20Azure%20Joined%20Windows%20Devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3302029%22%20slang%3D%22en-US%22%3E%3CP%3EHi.%20You%20can%20enable%20the%20SSPR%20CSP%20policy%20and%20deploy%20it%20to%20a%20group%20containing%20only%20Azure%20AD%20devices.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20for%20using%20CA%20to%20deny%20SSPR%2C%20what%20is%20the%20exact%20scenario%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

Hi everyone,

 

We want to use SSPR only from specific devices. I don't talk about registration.

The point is to use this link and deny SSPR from devices by using conditional access.

 

Any ideas?

 

Rahamim.

3 Replies

Hi. You can enable the SSPR CSP policy and deploy it to a group containing only Azure AD devices.

 

As for using CA to deny SSPR, what is the exact scenario?

I want to allow users to reset their password from their Azure joined computers only. Not from a smart phone or a non Azure joined devices.
best response confirmed by RahamimL (Frequent Contributor)
Solution
Don't think this functionality exists at the moment. At best you can restrict registration to a known location using CA, but that's about it.