In April, Microsoft announced the general availability of combined multifactor authentication (MFA) and self-service password reset (SSPR) registration for Azure Active Directory (Azure AD). Before the announcement, users had to perform similar steps to register for MFA and SSPR separately. The process has now been combined to make it easier for users to get onboard with these useful security features.
When users register for MFA or SSPR, they need to provide at least one alternative contact method, like a phone number. The alternative contact can be used in cases where logins can’t be performed using the default authentication method. For example, a user might lose their phone on which they had registered an account with the Microsoft Authenticator app.
Image #1 Expand
Microsoft embarked on the combination project with the aim of increasing use of MFA. And as more of us work at home during the COVID-19 pandemic, a focus on security is needed to protect devices and corporate data.
According to Robyn Hicock, Senior Program Manager for the Microsoft Identity Security and Protection Team, one of the most common pieces of feedback the team received was that the registration process needs to be really easy on mobile devices. Mobile users can now register for MFA and SSPR using a streamlined process.
The web experience has also been simplified. The Security Info page is still where users find their default authentication method, add authentication methods, and access security info, like their phone number.
Image #2 Expand
Conditional Access for combined registration
Not only has registration been simplified, but Conditional Access is now part of the combined MFA and SSPR registration experience. Organizations can enforce Conditional Access policies when users are adding sensitive security information to their accounts. Adding Conditional Access to the mix helps to ensure that the right user is adding sensitive info to an account.
Some examples of policies that can be enforced include:
- Users are on a trusted network
- Only users with a low sign-in risk can register security information
- Users can only register on a managed device
- Users should agree to terms of use during registration
Conditional Access gets a new action called Register security information, to which policies can be applied. Once a user successfully registers for MFA, they can then manage MFA and SSPR registration info from anywhere.
Enable multifactor authentication and self-service password reset combined registration
Despite making the new combined registration process generally available, Microsoft has decided not to automatically switch everyone over right away. Instead, organizations have control over when moving to the new combined registration.
- In the Microsoft 365 admin center, click …Show all on the left.
- In the list of expanded options below Admin centers, click Azure Active Directory.
- The Azure Active Directory admin center will open in a new browser tab.
- On the Overview screen, click User settings below Manage.
Image #3 Expand
- Under User feature previews, click Manage user feature preview settings.
- Set ‘Users can use preview features for registering and managing security info – enhanced’ to All to enable combined registration for all users.
- Alternatively, click Selected and then select a group to enable combined registration for a subset of your Azure AD users.
- Click Save to update the setting.
For more detailed information on combined registration, see Combined security information registration overview on Microsoft’s website.
The post Microsoft Announces Combined Multifactor Authentication and Password Reset Registration appeared first on Petri.