Conditional Access behaviour with combined security information registration

conditional access Jul 10, 2020

Identity and access management is one of the four main concepts for enterprise-class technology infrastructure security. Identities are of great importance, unique and need to be managed for authentication and authorisation of any kind. Access management to specific ressources should lead into zero trust and be dedicated to only what a princpal demands. Azure Active Directory can offer you many benefits to meet organizational needs to this requirements.

Conditional Access is a Microsoft Cloud tool to protect apps or ressources owned by the organization. It is representing as a middle security authority which is inbetween the user and any organization asset. When accessing apps and data, conditional access proofs if your signals/conditions (for example: location, device, application or even real-time risk) are compliant to what the policy enforces. Conditional Access will then decide what controls take place. This can be an additional verification through MFA (multi-factor-authentication), compliant device (Intune) - AD join types or others.
Source: Microsoft

As mentioned Multi-Factor-Authenticaion can be an important step to validate your identity. But MFA can be used in three diffrent ways:

  • enable MFA in general for a particular user (used for high priviledged users)
    -this will result in consequent promt of MFA for every login
  • usecase in Conditional Access within an isolated policy.
  • Self-Service-Password-Reset to confirm you're the legitimate owner of the account

When registering for MFA a second authentication method is used to get an extra level of security in terms of identity. Microsoft provides following methods: Microsoft Authenticator App (either 6-digit code or push notification), email address which is not a business or school email, or a telephone number with a text message or a phone call. It's also possible to register multiple of them.

This second authentication can also be used for Self-Service-Password-Reset that allows an enduser to reset his password without any help from the IT. The only problem with this is that general MFA and SSPR don't access the same security information. (security information = MFA data like personal phone number or email) as described here. This can lead into confusion as I also got trapped. But Azure gives you the option to create a combined registration/experience for this services and not run it separately. For this reason I've done some research and tested some scenarios. To activate this combined experience move here:
The short version is: if you activate this feature the users won't be impacted directly, only when MFA is required for a Conditional Access policy - then a confirmation of the already provided information is needed. But the advantage is clearly that users will not have to do 2 security information registrations and both services work fluently.

Policy: Block user registration security information from foreign locations

Now lets add Conditional Access to our starting scenario. Let's say you want to build a CA policy to prohibit any security information registration for users when they do not meet certain access controls. This can be a location area or a compliant device. This will only work with the combined security registration and the setting turned on.

First indicate the actions:
Then add the conditions, for my case I selected some locations:
And finally decide access controls.

Always be careful creating Conditional Access policies, only apply them to a selected range of users/groups!

So with this policy created here is the behaviour of it:
With this knowledge, you're ready to go!

Niklas Tinner

Young IT Nerd.

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.