Onboarding new users and forcing them to change their password on first logon in AAD.
We are rolling out SSPR and are working through how to manage our new user onboarding. Our users are homed on prem and synced via AAD connect. Since the "force user to change password on first logon" flag in local AD isn't supported for sync, when our users are initially created in Azure, they are not required to change their password when first logging onto an Office 365 app. Does anyone know of a way to default users in Azure so they must change their password upon first login?
'Microsoft App Access Panel' and Conditional Access with SSPR combined registration bug
Currently, enabling self-service password reset (SSPR) registration enforcement causes the app 'Microsoft App Access Panel' to be added to the login flow of users who have SSPR enabled. This app is not able to be excluded from Conditional Access (CA) polices and is caught by 'All cloud apps', which breaks secure zero-trust scenarios and CA policy configurations. Best way to demonstrate this is through examples... ----Example 1---- Environment: CA Policy 1 - 'All cloud apps' requiring hybrid/compliant device, but excluding [App] (for all non-guest accounts) CA Policy 2 - [App] requiring MFA only (for contractor accounts, etc) CA Policy 3 - [App] requiring hybrid/compliant device (for internal accounts, etc) SSPR registration enforcement (Password reset > Registration) - set to 'Yes' MFA registration enforcement (Security > Authentication Methods > Registration campaign) - set to 'Enabled' Scenario: A new user requires access to web [App] on an unenrolled device and is assigned an account that falls under CA Policy 1 and 2, however [App] is excluded from 1 and shouldn't apply to this login. When accessing [App] for the first time, users must register SSPR/MFA. They see the below message, click 'Next' and are directed to https://accounts.activedirectory.windowsazure.com/passwordreset/register.aspx: Then they see this screen, which will block the login and try to get the user to download the Company Portal app: While behind the scenes, the login to [App] is being blocked by 'Microsoft App Access Panel' because it is seemingly added to the login flow and caught in CA Policy 1 in Req 2/3: CA Policy 1 shows as not applied on Req 1, CA Policy 2 shows as successful for Req 1/2/3 and CA Policy 3 shows as not applied for Req 1/2/3. Creating a CA policy for the 'Register security information' user action has no effect on this scenario and also shows as not applied on all the related sign-in logs. ----Example 2---- Environment: Same as above, but SSPR registration enforcement - set to 'No' Scenario: Same as above, but when accessing the [App] for the first time, they see the below message instead, click 'Next' and are directed to https://accounts.activedirectory.windowsazure.com/proofup.aspx: Then they are directed to the combined SSPR/MFA registration experience successfully: The 'Microsoft App Access Panel' doesn't show in the sign-in logs and the sign-in is successful after registration. From the two examples, it seems to be a bug with the SSPR registration enforcement and the combined registration experience. ----Workarounds---- 1 - Prevent using 'All cloud apps' with device based CA policies (difficult, requires redesigning/thinking/testing policies, could introduce new gaps, etc) 2 - Turn off SSPR registration enforcement and turn on MFA registration enforcement like in example 2 (easy, but only enforces MS MFA App registration, doesn't seem to re-trigger registration if the MS MFA App is removed, no other methods are supported for registration, and doesn't remind users to update) 3 - Disable SSPR entirely for affected users (medium depending on available security groups, and doesn't allow for affected users to use SSPR) ----Related links---- https://feedback.azure.com/d365community/idea/d5253b08-d076-ed11-a81b-000d3adb7ffd https://feedback.azure.com/d365community/idea/1365df89-c625-ec11-b6e6-000d3a4f0789 Conditional Access Policies, Guest Access and the "Microsoft Invitation Acceptance Portal" - Microsoft Community Hub MS, please either: 1 - Allow 'Microsoft App Access Panel' to be added to CA policies so it can be excluded 2 - Prevent 'Microsoft App Access Panel' from showing up in the CA login flow when SSPR registration enforcement is enabledReport suspicious activity (Preview)
Allows users to report suspicious activities if they receive an authentication request that they did not initiate. This control is available when using the Microsoft Authenticator app and voice calls. Reporting suspicious activity will set the user's risk to high. If the user is subject to risk-based Conditional Access policies, they may be blocked.
self service password reset - restrict access
The SSPR Deployment Plan aka.ms/deploymentplans has cases for SSPR portal being accessible from within & outside the corporate network (with option for corporate & personal devices) - suggests conditional access or similar is available for SSPR but no obvious cloud app or setting to configure against. Can anyone advise if access to SSPR portal (I assume this is the reset at https://aka.ms/sspr) can be restricted e.g. based upon devices, named locations etc.
How to correctly implement Entra ID Connect sync when users exists in Entra ID as cloud users?
Hi Everyone, I have a small on-premises exchange server 2016 setup which we're planning to make Hybrid. We do have a O365 environment (Business Standard Licensed) which is independent as users signed in for Teams and SharePoint Online usage. We now have to implement Entra ID Connect (Azure AD Connect) to facilitate Exchange Hybrid deployment. My questions are: 1. These users currently exists in Entra ID as cloud accounts (as they've been using Cloud Apps such as Teams, SPO with their Windows 10 joined to Entra ID) will there be any issues when sync is configured ? (i.e. duplicate of identity errors etc..) 2. What's the best approach to implement Entra ID Connect and sync these user from AD to Engtra ID without having to remove these accounts from Entra ID? Any inputs are highly appreciated ! Thank you!Can we require MFA for SSPR enrollment?
Is there a way to require MFA for SSPR (self-service password reset) enrollment? This would be ideal for our tenant to ensure a valid user (not just having the password) authenticates with MFA, or other Conditional Access policies, in order to do initial SSPR enrollment. I'm not so much concerned with the reset process, just the enrollment process right now. Thanks!
Self Service Password Reset without being forced to have MFA enabled
We have enrolled MFA for parts of our company (Guests, IT department, parts of the administration) so far and are slowly pushing forward. MFA is controlled by a Conditional Access policy where users or groups are added manually. At the same time we are currently implementing SSPR for our company. SSPR is set to "selected" and not to "all". That means we have a group where we add users to get SSPR enabled for them. This is how it is set up: If we enable SSPR for a user that has not being enabled for MFA by conditional access yet then this user is facing issues to set up his Self Service Password Reset questions. He is forced to register MFA what we do not want at this point (that is why we have not added him to the MFA Conditional Access policy at this point). Is there a way to make the users register SSPR for their account but not being forced to register MFA yet? Is it even possible to enable SSPR without MFA? We know that MFA is highly recommended. We are working on the full rollout. But there are users that are not ready yet. This is what the user is facing when SSPR is enabled for him but MFA is not yet enforced by conditional access: Says: Protect your account. Microsoft Authenticator. Get the app first.User actions - Register Security Information from unmanaged devices.
Hi fellow members I work in an highly regulated organisation where we DO NOT allow unmanaged devices access to any of our Azure/M365 services. We use both Azure conditional access and tenant restrictions and other methods to secure our environment this way. However we are in the process of enabling Azure virtual desktop (AVD) and we DO want some users to be able to use this from an unmanaged device and only in this scenario. Our tenant is pre August 2020 so currently we still use the old MFA/SSPR workflows, we cannot enable combined registration for all so are using the scoped combined registration in user feature in AAD. We find that since enabling combined registration one of CA policies is blocking access for a user to register their security information either from the legacy workflows or using the combined registration experience. Using the user actions – register security information to allow from all locations also doesn’t seem to work. We cannot make any exceptions or remove the conditional access policy, which BTW prevents unmanaged devices to access. We do have another CA policy which does allow AVD from an unmanaged device but mandates MFA. That works great until we force the user to register SSPR security information. Is anyone aware of any other options that could help address this in this scenario? Many Thanks
how to customize the language when user change his new password
As we all now SSPR has features to register, unlock and reset new password. It has no feature to change new password. To change new password, user has to go to office 365 portal or visit myapp site. Generally the when change new password, the link goes to https://account.activedirectory.windowsazure.com/ChangePassword.aspx The IE will detect the language settings and make the page the same language. Is there a way to navigate to local language via url: to https://account.activedirectory.windowsazure.com/ChangePassword.aspx
