Thank you for your detailed post!
I understand that when users open the Outlook 2016 client there's an SSPR registration page that comes up for some, even though they're showing as SSPR capable
within the User Registration Details
pages. You recently set-up Azure MFA for Exchange 2016 on-prem, and your Conditional Access policies aren't initiating this pop-up since your public IPs are trusted locations. To help point you in the right direction or hopefully resolve your issue, I'll share my findings below.
Error Message:
User authentication was blocked because they need to provide password reset information. Their next interactive sign-in will ask them for this, which the app should trigger next.
Findings:
When it comes to user's being SSPR Capable, this indicates the users with enough registered authentication methods to meet your organization’s SSPR policy and enabled by policy to perform SSPR
. If your users are showing as SSPR Capable
within the User registration details, and have completed all the required registration steps, I agree that they shouldn't be receiving the SSPR prompt.
To further understand and troubleshoot your issue since this is only affecting some users:
- For the users that have completed the SSPR registration again, what happened afterwards?
- When it comes to your Conditional Access Policy, can you see if you ever enabled the "Register security information" setting? Since this could possible be causing an SSPR refresh enforced Interrupt mode. For more info.
- Did you enable the Reconfirm authentication information setting, which will require users to confirm their registered information after a certain period of time?
Similar issue:
I hope this helps!
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.