It has been a long time since my last blogpost. This week we have configured something new and very useful. Self Service Password Reset. Many companies have a integrated process on how to reset the passwords for there end users. But why use a process that claims a lot of tickets and asks a lot of patients from the end user perspective. In this article i show you how you can block Multi factor and Self service password reset, from untrusted locations using Azure AD Conditional Access. This setting is also one of the common policies that Microsoft recommends when using conditional access within Azure AD.
When you want to enable MultiFactor Authentication and Self Service Password Reset for your users, they need to register first. This can be a issue for some users. In my experience it is important that users keep using the Azure authenticator app, sometimes it happens that users remove this app. In this case it is necessary to contact IT support to ask for a MFA reset.
The above can be a blocker for some users but from IT perspective this is great because we can control this user action with Conditional Access. This give’s you the flexibility to limit this to only trusted locations, or even trusted (hybrid ad joined) devices if you want. This means that a user can only use MFA and or SSPR from one of the selected and configured locations.
Lets start configuring Self Service Password Reset
Go to Azure Active Directory, User Settings and go to Manage user feature preview settings. Next, select a specific user group, or enable this for all your users.
Next up is to create a Conditional Access policy with the following settings:
- Enter a name for this policy. something like, Info Registration on Trusted Networks.
- Under Assignments, click Users and groups, and select the users and groups you want this policy to apply to.
- Under Cloud apps or actions, select User actions, check Register security information (preview).
4. The next step we will find under Conditions > Locations.
- Configure Yes.
- Include Any location.
- Exclude All trusted locations
5. After this we go to Access controls > Grant.
- Click Block access.
- Then click Select.
With this configuration we block all access from all locations except the once you have configured within you trusted locations.
6. The last step is to enable the policy, we can do this to Set Enable policy to On. Then click Save. and the policy will be activated directly.
Before we go to the user Experience you can also check out this blog to optimize the security of user accounts even further.
From an end-user perspective, you would go to either https://aka.ms/setupsecurityinfo or https://aka.ms/mfasetup When users do this from an untrusted location, they will not have access to one of these pages.