Close Menu
    Security

    Secure the Azure MFA registration process with Conditional Access

    Peter KlapwijkBy Updated:2 Mins Read

    About a week ago a new option in Azure Conditional Access showed up as User Action, Register Security Information. With this new option we have the possibility to control the location from where an Office 365/ Azure AD user is allowed to register Multi-Factor Authentication (MFA) or Self Service Password Reset (SSPR) information. We can now for example only allow registration of MFA information from our internal network, which we consider secure.

    In this blog post I show how to setup up a Conditional Access policy to restrict the registration of security information to only my own network. My own network is registered as Named Location using my external IP-address.
    I assume you have already setup Multi-Factor Authentication and/ or Self Service Password Reset in Azure.

    Setup Azure Conditional Access policy

    We first setup a new Named Location. In this example I create a location for my office network which contains my external IP-address and mark it as Trusted Location.

    1. Sign-in to the Azure Portal
    2. Click on Azure Active Directory
    3. Click Conditional Access – Named Locations
    4. Click New location

    1. Give the location a Name
    2. Check Mark as trusted location
    3. Add your external IP-address under IP ranges
    4. Click Create

    When the new location is created, we create a new Conditional Access policy with the new option Register Security Information.

    1. Click Policies
    2. Click Create policy

    1. Give your policy a Name
    2. Click the Users and Groups tab
    3. Select All Users or select Select users and Groups and select a security group to apply the policy to
    4. Click Done

    1. Click the Cloud apps or actions tab
    2. Click User Actions
    3. Check Register security information
    4. Click Done

    1. Click the Conditions tab
    2. Click the Locations tab
    3. Click Yes to enable the condition
    4. On the Include tab check Any location
    5. On the Exclude tab check All trusted locations
    6. Click Done twice

    1. Click the Grant tab
    2. Check Block Access
    3. Click Select
    4. Click On under Enable Policy
    5. Click Create

    Setting up our configuration is finished and active in just a few minutes.

    End-user experience

    On a device which is not connected to the internal network of a trusted location, sign-in to Office.com with a new user. The user needs to register the MFA or SSPR information, but is blocked to do so.

    On a device which is connected to the internal network of a trusted location, we are allowed to register the MFA or SSPR information as we are used to be.

    Share.

    Peter is a Security (Intune) MVP since 2020 and is working as Modern Workplace Engineer at Wortell in The Netherlands. He has more than 15 years of experience in IT, with a strong focus on Microsoft technologies like Microsoft Intune, Windows, and (low-code) automation.

    Related Posts

    Add A Comment
    Leave A Reply