skip to Main Content

Secure MFA and SSPR registration with Conditional Access

After you configure Azure AD MFA and SSPR, you might want to look at how to secure both registrations. For example, you don’t want that a spray attack is carried, and the attacker registers for MFA or SSPR. You can secure Azure MFA registration and SSPR registration with Azure Conditional Access.

Introduction

You did deploy MFA using Azure AD Conditional Access and enabled Self-Service Password Reset. Both the features are enforced for the users. It means that all the users will be asked to register MFA and SSPR after they log in.

Does that mean it’s secure? No, it’s not. Let’s see how the registration works with and without securing the MFA and SSPR registration.

Good to know is that if you only have MFA or SSPR enabled, you can follow the article. But, we recommend configuring both MFA and SSPR in the organization.

Azure MFA and SSPR registration not secure

When you don’t secure MFA and SSPR registration with trusted locations, it will look as follows:

  1. You create an account for the user
  2. Hacker will carry a spray attack
  3. Hacker will succeed
  4. Hacker logs in with credentials
  5. Hacker will get a message to go through the MFA/SSPR setup
  6. The hacker will set up MFA/SSPR
  7. Hacker is successfully logged in

Azure MFA and SSPR registration secure

When you secure MFA and SSPR registration with trusted locations, it will look as follows:

  1. You create an account for the user
  2. Hacker will carry a spray attack
  3. Hacker will succeed
  4. Hacker logs in with credentials
  5. Hacker will get a message that access is restricted
  6. The hacker can’t proceed further
  7. Hacker is not successfully logged in

Let’s look at the next step at securing Azure MFA registration and SSPR registration with Conditional Access in Azure Active Directory.

Secure Azure MFA and SSPR registration

Go through the steps to secure MFA and SSPR registration from trusted locations.

Step 1: Create Conditional Access named location

Do you have the public IPs added in the named location section? If yes, you can skip this step.

Navigate to Azure Active Directory > Security > Conditional Access. Click on Named location > IP ranges location. Add the IP address and give it a name (description). We will add the Head Office IP address.

Make sure to add the public IP of the organization and not the internal IP of a device.

You can select the checkbox Mark as trusted location. We will leave it unchecked.

Secure MFA and SSPR registration named locations

In our example, we will add the second IP address, which is the Branch Office.

Secure MFA and SSPR registration add public IP

Both the organization’s public IPs are added as named locations.

Secure MFA and SSPR registration add public IP

Step 2: Create Conditional Access policy

Click Policies > New policy.

Give it the name Secure registration on trusted networks.

Secure MFA and SSPR registration Conditional Access name

Click Users and groups and follow with Include. Select All users.

Secure MFA and SSPR registration Conditional Access Users and groups

Click Cloud apps or actions. Select User actions. Check the checkbox Register security information.

Secure MFA and SSPR registration Conditional Access Cloud apps or actions

Click Conditions and follow with Locations. Click on Yes. Click on Include and select Any location.

Secure MFA and SSPR registration Conditional Access Conditions

Click Exclude and select Selected locations. Select the named locations that you created in the previous steps.

Secure MFA and SSPR registration Conditional Access Conditons selected locations

Click Grant. Select Block access. Click on Select.

Secure MFA and SSPR registration Conditional Access Grant Block access

Click the On switch to enable the policy. Click Create.

Secure MFA and SSPR registration Conditional Access Enable policy

The policy Secure registration on trusted networks shows up in the Conditional Access policies list.

Secure MFA and SSPR registration Conditional Access policy list

Step 3: Enable combined security information registration experience

Navigate to Azure Active Directory > User settings > Manage user feature settings.

Azure AD manage user feature settings

Click on All and Save. In our example, the setting is already set to All and greyed out because it’s a new tenant.

Enable combined security information registration is automatically enabled for new tenants, and the setting is greyed out.

Enable combined security information registration experience

In the next step, you will verify your work and see the user experience.

Verify your work

After creating the policy, log in with a user to the Office 365 portal for testing purposes and check the user experience.

Test from both the not excluded public IP and the excluded public IP (Head Office or Branch Office).

Not trusted location

Below is an example of how it looks when a user signs in to Office 365 portal from a not trusted location.

You cannot access this right now. Your sign-in was successful but does not meet the criteria to access this resource. For example, you might be signing in from a browser, app, or location that is restricted by your admin.

Not trusted location message shows that you cannot access this right now

Trusted location

Sign in to Office 365 portal from a trusted location. If you only configured MFA, the user will see the MFA configuration wizard.

Trusted location keep your account secure Microsoft Authenticator

Do you have MFA and SSPR configured? The user will see the SSPR configuration wizard.

Trusted location keep your account secure Phone

Everything looks great!

Read more: Move from MFA trusted IPs to Conditional Access named locations »

Conclusion

In this article, you learned how to secure Azure MFA and SSPR registration. Follow the steps, and the users can register for MFA and SSPR only on the excluded trusted locations. Extra security is always better than less security.

You don’t want an attacker to sign in to the organization with the compromised credentials and registers for MFA or SSPR. If the account is compromised, this extra security step will help.

Did you enjoy this article? You may also like Conditional Access MFA breaks Azure AD Connect synchronization. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top