Requiring two MFA methods with the Combined Registration
Last month, the combined MFA and password reset registration portal has been made generally available.
Previously, a user could register his security information on two separate locations, for MFA and for Self Service Password Reset.
Self Service Password Reset
Self Service Password Reset is a feature of Azure Active Directory which enables the user to reset his own password without the intervention of a support engineer.
First the user has to register for Self Service Password Reset by providing one or more verification methods. The possible methods are:
- Verification code through Authentication app
- Notification through authentication app
- Text message
- Phone call
- Security key
- Email address
- Security questions
The IT administrator can choose how many methods are required (1 or 2) and which methods are available.
Multifactor Authentication
Multifactor authentication in Azure AD supports the following methods:
- Phone call
- Text message
- Verification code through Authentication app
- Notification through authentication app
Combined registration
As you can see, MFA and SSPR share a lot of the same verification methods. Up until last month, these two didn’t share their methods. This is were the combined registration comes in. If the combined registration portal is enabled, the user registers methods for MFA and SSPR at the same time.
Navigate to Azure AD, user settings and select feature previews. 
Enable the combined registration for a pilot group or all users.
I would recommend everyone enabling this combined registration and it simplifies matters for both the IT administrator as the user.
The only thing I dislike is that there is no way force the user to register for two methods. With the previous MFA registration portal, the user would be required to fill in his mobile phone number for SMS verification after he configured the Microsoft Authenticator. This means that a user is still able to access his account when he switched phones.
By utilizing the settings from the Self Service Reset policy, we can require two authentication methods to be configured.
Setting up the SSPR policies
The trick is enabling SSPR for your users and requiring two methods for a password reset. This makes sure that your users will provide two methods when signing up for multifactor authentication.
Navigate to the password reset portal and enable SSPR.
Next-up, choose ‘authentication methods’ and require two 2 methods for reset.
Untick the email and security questions as they are not available as a multifactor authentication method. (I also don’t like these as they aren’t as secure as the rest).
Requiring SSPR registration is not needed. The user will have to register for multifactor authentication, the first time he/she receives an MFA prompt.
End-user experience
When a user logs in (and MFA is required through Conditional Access) he will be prompted to register for multifactor authentication.
He will be required to configure the Microsoft Authenticator app first.
After this, the user has successfully signed up for the two methods, which can be used for multifactor authentication.
Conclusion
Note that this is currently a workaround on how to require two different MFA methods. As this opens up the user to reset his password through the cloud, which might not be desired.
This can be used to ensure that users do not loose access to their work account if they change phone or mobile number.
Categories
365 by Thijs 