Secure the Azure MFA registration process with Conditional Access

About a week ago a new option in Azure Conditional Access showed up as User Action, Register Security Information. With this new option we have the possibility to control the location from where an Office 365/ Azure AD user is allowed to register Multi-Factor Authentication (MFA) or Self Service Password Reset (SSPR) information. We can now for example only allow registration of MFA information from our internal network, which we consider secure.

In this blog post I show how to setup up a Conditional Access policy to restrict the registration of security information to only my own network. My own network is registered as Named Location using my external IP-address.
I assume you have already setup Multi-Factor Authentication and/ or Self Service Password Reset in Azure.

Setup Azure Conditional Access policy

We first setup a new Named Location. In this example I create a location for my office network which contains my external IP-address and mark it as Trusted Location.

  1. Sign-in to the Azure Portal
  2. Click on Azure Active Directory
  3. Click Conditional Access – Named Locations
  4. Click New location

  1. Give the location a Name
  2. Check Mark as trusted location
  3. Add your external IP-address under IP ranges
  4. Click Create

When the new location is created, we create a new Conditional Access policy with the new option Register Security Information.

  1. Click Policies
  2. Click Create policy

  1. Give your policy a Name
  2. Click the Users and Groups tab
  3. Select All Users or select Select users and Groups and select a security group to apply the policy to
  4. Click Done

  1. Click the Cloud apps or actions tab
  2. Click User Actions
  3. Check Register security information
  4. Click Done

  1. Click the Conditions tab
  2. Click the Locations tab
  3. Click Yes to enable the condition
  4. On the Include tab check Any location
  5. On the Exclude tab check All trusted locations
  6. Click Done twice

  1. Click the Grant tab
  2. Check Block Access
  3. Click Select
  4. Click On under Enable Policy
  5. Click Create

Setting up our configuration is finished and active in just a few minutes.

End-user experience

On a device which is not connected to the internal network of a trusted location, sign-in to with a new user. The user needs to register the MFA or SSPR information, but is blocked to do so.

On a device which is connected to the internal network of a trusted location, we are allowed to register the MFA or SSPR information as we are used to be.

Be the first to comment

Leave a Reply

Your email address will not be published.