You may already know this is a best practice to get your users registered for Azure Multi Factor Authentication (MFA) and Self Service Password Reset (SSPR).
That said, the registration requires your end-user to provide sensitive information (phone number, external email address…) to help the system to properly identify them during the registration process – information which then can be also used to identify the user when using SSPR for example.
Until today, there was a risk that an attacker could have successfully registered to MFA or SSPR on behalf of some of your users.
Now, you can implement a conditional access to secure access to the registration process for MFA and SSPR.
- Logon to you Azure (https://portal.azure.com) or Azure AD (https://aad.portal.azure.com) administration page and reach out to the Conditional Access configuration blade
- Then create a new conditional access using the below settings
- Cloud apps or action: User actions\Register security information
- Conditions: Locations\Include all location – Exclude All trusted locations – reminder the trusted locations refer to your public IP endpoint when you access Internet from your corporate network, this can be defined in the Conditional Access\Named Locations configuration blade
- Access Controls: Grant\Grant Access – Require multi-factor authentication
With this configuration users trying to register for MFA and/or SSPR must be within your corporate network. If they try to register from another network (cyber cafe, home…) they will get the below error message telling them they can not register because they are not connected to a trusted network.