- Run Exchange Online commands using Azure Automation - Tue, Jul 25 2023
- Connect to Exchange Online with PowerShell and certificate-based authentication - Wed, Jul 19 2023
- Office Deployment Tool (ODT): Deploy Office using custom XML files - Thu, Mar 30 2023
Consider a scenario in which a user has their password breached; they are spammed with MFA prompts until they accept one, and then an attacker registers their own MFA device.
Using conditional access, we can block this behavior and require users to be in certain locations or on certain devices to complete the security information registration.
Make sure you test this thoroughly before deploying it in production.
From Azure AD, navigate to Security > Conditional Access.
Click New policy to create a new Conditional Access policy.
Under Users or workload identities, I select just my test user account.
Under Cloud apps or actions, select User actions.
Select the Register security information option as shown in the screenshot below.
Under conditions, we will include All locations, and exclude All trusted locations.
Under Access controls, we will select Block.
This may seem counterintuitive; however, as we have excluded trusted locations (configured separately), the policy will only apply, and therefore block access, when the request comes from a location not marked as trusted.
Set the policy to Enabled and click Create.
It can take 10–15 minutes for the policy to kick in, but when it does, you will find you are unable to visit some areas of the Microsoft 365 Portal, such as aka.ms/mfasetup or the Update Info section of My Profile.
You will receive this message: You cannot access this right now.
In your Azure AD sign-in logs, you will see this message: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.
Subscribe to 4sysops newsletter!
If you need to allow a user to register security info while they are not in a trusted location, you can issue a Temporary Access Pass and allow the user to sign in without using their MFA device.