CA MFA Setup

Occasional Contributor


I configure conditional access policy to prevent users to register security information outside ours network. The policy working when user go to

when user go to\mfasetup he can start the process for registration

I want to know is this normal behaviour or a known problem

Thank you for your reply

1 Reply

Hi there @awaaziz,


I came across your post here while trying to investigate an issue where kept me in a login loop where I would be prompted to enter my username, password, YubiKey PIN, and tap the YubiKey over and over again.


I found that did not do this and I was able to manage my MFA authentication methods. I couldn't find anything else online that suggested there might be something different about these two short URLs. However, I stumbled upon this little note in -> Azure Active Directory -> Password Reset -> Authentication Methods that suggests /setupsecurityinfo may be newer (green emphasis mine)


Users can register their mobile app at or in the new security info registration experience at You can enable security info registration for your organization by following steps at For additional help on using Authenticator app methods visit
While it doesn't answer your question, it at least suggests there is a difference between the two. 
As for your actual question, I should warn you that in my experience so far, creating a Conditional Access Policy using the Register security information User Action (under Cloud apps or actions) applies not only to MFA/SSPR registration, but also password resets. So, if you deploy this setting, you will need to make sure all of your users will be able to meet whatever conditions you set for managing MFA AND passwords.