A New feature has just been released into Preview in Conditional Access which allows you to control which conditions a user is allowed to register their security info. For example you can block a user from registering security info if they are not on the corporate network (a trusted location). In this post i will show you how to configure a Conditional Access Policy to do just that. Note: For this to work you must have enabled the combined registration experience.
- Firstly Navigate to https://portal.azure.com
- Open up the Conditional Access Blade from Either Azure Active Directory or Intune
- Create a New Policy
- Name the Policy something meaningful
- Select the users/groups this policy will apply to
- Under Cloud Apps or Actions choose User Actions
- Tick “Register Security Information (Preview)”
- Under Conditions Choose Locations
- Click Configure Yes
- Include – Any Location
- Exclude – All Trusted Locations
- Under Access Controls > Grant Choose “Require Multi-Factor Authentication”
The end result is after enabling the policy if an end user goes to register the security information and is not coming from a trusted location (i.e. Corporate Network) they will see the following message:
The reason we used “Require Multi-Factor Authentication” as a grant control and not “block access” is because we only want the user to have to be at a trusted location for the initial registration. Once they have registered the details we want them to be able to amend those details from any location which they will be able to do as they will be able to satisfy an MFA request once registered the first time.