New conditional access methods to ensure MFA/SSPR registration is by your users
Big News for Registering for MFA and SSPR!
We've been telling you for some time how important Multi-factor authentication (MFA) is to the security of your users identities. It is so important that Microsoft's Secure Score gives it more weight than any other action to boost your security posture in Office 365 and beyond.
Self-service password reset (SSPR) is makes your support team's life much better by empowering your users to change and reset their own passwords without opening yet another support ticket.
BUT you have to register for MFA/SSPR to be able to use it …
How do you ensure the person registering for MFA/SSPR is the your user and not a bad actor
You have been asking this question and probably felt like the response was lacking.
Microsoft recently announced the public preview of new conditional access methods to help ensure it is the right person registering. Here are some conditions that will help:
- Users are on a trusted network
- Only users with a low sign-in risk can register security information
- Users can only register on a managed device
Follow these steps to get started:
- Enable the enhanced security info registration experience in the Azure portal
- Create new conditional access policy for MFA/SSPR registration
- Instruct your users to use the new MFA/SSPR combined registration portal: https://aka.ms/setupsecurityinfo
- Sleep better knowing it's your users registering their security information
Remember to crawl, walk, then run. Test this with a few, pilot, then enable for the broader audience to make sure this is a fit for your organization.
Enabling always recommends a solid Adoption and Change Management approach to rolling out any new technology or change that will impact your end users.