Skip to content

Requiring two MFA methods with the Combined Registration

Last month, the combined MFA and password reset registration portal has been made generally available.

Previously, a user could register his security information on two separate locations, for MFA and for Self Service Password Reset.

Self Service Password Reset

Self Service Password Reset is a feature of Azure Active Directory which enables the user to reset his own password without the intervention of a support engineer.

First the user has to register for Self Service Password Reset by providing one or more verification methods. The possible methods are:

  • Verification code through Authentication app
  • Notification through authentication app
  • Text message
  • Phone call
  • Security key
  • Email address
  • Security questions

The IT administrator can choose how many methods are required (1 or 2) and which methods are available.

Multifactor Authentication

Multifactor authentication in Azure AD supports the following methods:

  • Phone call
  • Text message
  • Verification code through Authentication app
  • Notification through authentication app
Choose your authentication method and then follow the prompts on the screen.

Combined registration

As you can see, MFA and SSPR share a lot of the same verification methods. Up until last month, these two didn’t share their methods. This is were the combined registration comes in. If the combined registration portal is enabled, the user registers methods for MFA and SSPR at the same time.

I would recommend everyone enabling this combined registration and it simplifies matters for both the IT administrator as the user.

The only thing I dislike is that there is no way force the user to register for two methods. With the previous MFA registration portal, the user would be required to fill in his mobile phone number for SMS verification after he configured the Microsoft Authenticator. This means that a user is still able to access his account when he switched phones.

By utilizing the settings from the Self Service Reset policy, we can require two authentication methods to be configured.

Setting up the SSPR policies

The trick is enabling SSPR for your users and requiring two methods for a password reset. This makes sure that your users will provide two methods when signing up for multifactor authentication.

Navigate to the password reset portal and enable SSPR.


Next-up, choose ‘authentication methods’ and require two 2 methods for reset.
Untick the email and security questions as they are not available as a multifactor authentication method. (I also don’t like these as they aren’t as secure as the rest).

Requiring SSPR registration is not needed. The user will have to register for multifactor authentication, the first time he/she receives an MFA prompt.

End-user experience

When a user logs in (and MFA is required through Conditional Access) he will be prompted to register for multifactor authentication.

He will be required to configure the Microsoft Authenticator app first.

After configuring the Microsoft Authenticator app, he will be required to setup a phone method. This can either be a mobile phone (call or text) or an office phone (call).

After this, the user has successfully signed up for the two methods, which can be used for multifactor authentication.

Conclusion

Note that this is currently a workaround on how to require two different MFA methods. As this opens up the user to reset his password through the cloud, which might not be desired.

This can be used to ensure that users do not loose access to their work account if they change phone or mobile number.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: