Edit

Enable combined security information registration in Azure Active Directory

  • Article

Before combined registration, users registered authentication methods for Azure AD Multi-Factor Authentication and self-service password reset (SSPR) separately. Users were confused that similar methods were used for Azure AD Multi-Factor Authentication and SSPR but they had to register for both features. Now, with combined registration, users can register once and get the benefits of both Azure AD Multi-Factor Authentication and SSPR.

Note

Effective Mar. 14th, 2023 combined registration is now the default MFA and SSPR registration experience for all organizations.

To help you understand the functionality and effects of the new experience, see the Combined security information registration concepts.

Combined security information registration enhanced experience

Conditional Access policies for combined registration

To secure when and how users register for Azure AD Multi-Factor Authentication and self-service password reset, you can use user actions in Conditional Access policy. This functionality may be enabled in organizations that want users to register for Azure AD Multi-Factor Authentication and SSPR from a central location, such as a trusted network location during HR onboarding.

Note

This policy applies only when a user accesses a combined registration page. This policy doesn't enforce MFA enrollment when a user accesses other applications.

You can create an MFA registration policy by using Azure Identity Protection - Configure MFA Policy.

For more information about creating trusted locations in Conditional Access, see What is the location condition in Azure Active Directory Conditional Access?

Create a policy to require registration from a trusted location

Complete the following steps to create a policy that applies to all selected users that attempt to register using the combined registration experience, and blocks access unless they are connecting from a location marked as trusted network:

  1. In the Azure portal, browse to Azure Active Directory > Security > Conditional Access.

  2. Select + New policy.

  3. Enter a name for this policy, such as Combined Security Info Registration on Trusted Networks.

  4. Under Assignments, select Users. Choose the users and groups you want this policy to apply to.

    Warning

    Users must be enabled for combined registration.

  5. Under Cloud apps or actions, select User actions. Check Register security information, then select Done.

    Create a conditional access policy to control security info registration

  6. Under Conditions > Locations, configure the following options:

    1. Configure Yes.
    2. Include Any location.
    3. Exclude All trusted locations.

  7. Under Access controls > Grant, choose Block access, then Select.

  8. Set Enable policy to On.

  9. To finalize the policy, select Create.

Next steps

If you need help, see troubleshoot combined security info registration or learn What is the location condition in Azure AD Conditional Access?

Review how you can enable self-service password reset and enable Azure AD Multi-Factor Authentication in your tenant.

If needed, learn how to force users to re-register authentication methods.