You may be familiar with the Conditional Access policy feature in Azure AD as a means to control access to your tenant. In addition to granting or blocking access to the tenant as a whole, it is possible to restrict certain user actions. One important action you should consider controlling is from where a user can enroll in multifactor authentication (MFA).

Consider a scenario in which a user has their password breached; they are spammed with MFA prompts until they accept one, and then an attacker registers their own MFA device.

Using conditional access, we can block this behavior and require users to be in certain locations or on certain devices to complete the security information registration.

Make sure you test this thoroughly before deploying it in production.

From Azure AD, navigate to Security > Conditional Access.

Click New policy to create a new Conditional Access policy.

Create a Conditional Access policy

Create a Conditional Access policy

Under Users or workload identities, I select just my test user account.

Select a single test user account

Select a single test user account

Under Cloud apps or actions, select User actions.

Select User actions

Select User actions

Select the Register security information option as shown in the screenshot below.

Select the Register security information option

Select the Register security information option

Under conditions, we will include All locations, and exclude All trusted locations.

Exclude all trusted locations

Exclude all trusted locations

Under Access controls, we will select Block.

Block access to register security info

Block access to register security info

This may seem counterintuitive; however, as we have excluded trusted locations (configured separately), the policy will only apply, and therefore block access, when the request comes from a location not marked as trusted.

Set the policy to Enabled and click Create.

It can take 10–15 minutes for the policy to kick in, but when it does, you will find you are unable to visit some areas of the Microsoft 365 Portal, such as aka.ms/mfasetup or the Update Info section of My Profile.

Unable to access update info

Unable to access update info

You will receive this message: You cannot access this right now.

Unable to access security information

Unable to access security information

In your Azure AD sign-in logs, you will see this message: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.

Subscribe to 4sysops newsletter!

Access has been blocked by Conditional Access policies

Access has been blocked by Conditional Access policies

If you need to allow a user to register security info while they are not in a trusted location, you can issue a Temporary Access Pass and allow the user to sign in without using their MFA device.

avatar
1 Comment
  1. Fragobar 5 months ago

    Thanks a lot for this how to that saves my brain from headaches

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account