Restricting registration to Azure AD MFA from trusted locations with Conditional Access policy

You may be familiar with the Conditional Access policy feature in Azure AD as a means to control access to your tenant. In addition to granting or blocking access to the tenant as a whole, it is possible to restrict certain user actions. One important action you should consider controlling is from where a user can enroll in multifactor authentication (MFA).

Author
Recent Posts

Robert Pearman

Robert is a small business specialist from the UK and currently works as a system administrator. He was a Microsoft MVP for eight years and has worked as a technical reviewer for Microsoft Press. You can follow Robert on Twitter and in his blog.

Latest posts by Robert Pearman (see all)

Run Exchange Online commands using Azure Automation - Tue, Jul 25 2023
Connect to Exchange Online with PowerShell and certificate-based authentication - Wed, Jul 19 2023
Office Deployment Tool (ODT): Deploy Office using custom XML files - Thu, Mar 30 2023

Consider a scenario in which a user has their password breached; they are spammed with MFA prompts until they accept one, and then an attacker registers their own MFA device.

Using conditional access, we can block this behavior and require users to be in certain locations or on certain devices to complete the security information registration.

Make sure you test this thoroughly before deploying it in production.

From Azure AD, navigate to Security > Conditional Access.

Click New policy to create a new Conditional Access policy.

Create a Conditional Access policy

Under Users or workload identities, I select just my test user account.

Select a single test user account

Under Cloud apps or actions, select User actions.

Select User actions

Select the Register security information option as shown in the screenshot below.

Select the Register security information option

Under conditions, we will include All locations, and exclude All trusted locations.

Exclude all trusted locations

Under Access controls, we will select Block.

Block access to register security info

This may seem counterintuitive; however, as we have excluded trusted locations (configured separately), the policy will only apply, and therefore block access, when the request comes from a location not marked as trusted.

Set the policy to Enabled and click Create.

It can take 10–15 minutes for the policy to kick in, but when it does, you will find you are unable to visit some areas of the Microsoft 365 Portal, such as aka.ms/mfasetup or the Update Info section of My Profile.

Unable to access update info

You will receive this message: You cannot access this right now.

Unable to access security information

In your Azure AD sign-in logs, you will see this message: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.

Subscribe to 4sysops newsletter!

Access has been blocked by Conditional Access policies

If you need to allow a user to register security info while they are not in a trusted location, you can issue a Temporary Access Pass and allow the user to sign in without using their MFA device.