Table of Contents
MultiFactor Authentication and Self Service Password Reset
When you want to enable MultiFactor Authentication and Self Service Password Reset for your users, they need to register their security settings first. Since the combined portal arrived, users can do this easily in just one place. Using this combined portal is also a requirement in order to make this possible.
And the good part is: we can control this user action with Conditional Acces. This give’s you the flexibility to limit this action to only trusted locations, or even trusted devices if you want to. Users then can only register from the locations that you marked as trusted or specific named locations.
Create a Conditional Access policy
1. Open Entra ID Conditional Access by visit https://aad.portal.azure.com/#view/Microsoft_AAD_IAM/ConditionalAccessBlade/~/Policies
2. Create a new Conditional Access policy:
- Name: Enter a name for this policy. For example, Combined Security Info Registration on Trusted Networks.
- Under Assignments: select Users and groups, and select the users and groups you want this policy to apply to.
2. Under Cloud apps or actions, select User actions, check Register security information.
3. Under Conditions > Locations.
- Configure Yes.
- Include Any location.
- Exclude All trusted locations.
When you exclude all trusted locations, the policy will not apply when users register their security settings from the trusted location.
4. Grant: Select Block, it means when users register their security settings from outside of trusted location, the connection will be block.
5. Under Enable policy, select On then click Create button.
End-user experience
From an end-user perspective, in order to register for MFA and SSPR, you would go to either:
When users do this from an untrusted location, they will see the following error.
