Combined registration for SSPR and Azure AD Multi-Factor Authentication - Azure Active Directory - Microsoft Entra (2023)

  • Article
  • 9 minutes to read

Before combined registration, users registered authentication methods for Azure AD Multi-Factor Authentication and self-service password reset (SSPR) separately. People were confused that similar methods were used for multifactor authentication and SSPR but they had to register for both features. Now, with combined registration, users can register once and get the benefits of both multifactor authentication and SSPR. We recommend this video on How to enable and configure SSPR in Azure AD

Note

Effective Oct. 1st, 2022, we will begin to enable combined registration for all users in Azure AD tenants created before August 15th, 2020. Tenants created after this date are enabled with combined registration.

This article outlines what combined security registration is. To get started with combined security registration, see the following article:

Enable combined security registration

Combined registration for SSPR and Azure AD Multi-Factor Authentication - Azure Active Directory - Microsoft Entra (1)

Before enabling the new experience, review this administrator-focused documentation and the user-focused documentation to ensure you understand the functionality and effect of this feature. Base your training on the user documentation to prepare your users for the new experience and help to ensure a successful rollout.

(Video) Azure AD combined registration

Azure AD combined security information registration is available for Azure US Government but not Azure China 21Vianet.

Important

Users that are enabled for both the original preview and the enhanced combined registration experience see the new behavior. Users that are enabled for both experiences see only the My Account experience. The My Account aligns with the look and feel of combined registration and provides a seamless experience for users. Users can see My Account by going to https://myaccount.microsoft.com.

You can set Require users to register when signing in to Yes to require all users to register when signing in, ensuring that all users are protected.

You might encounter an error message while trying to access the Security info option, such as, "Sorry, we can't sign you in". Confirm that you don't have any configuration or group policy object that blocks third-party cookies on the web browser.

My Account pages are localized based on the language settings of the computer accessing the page. Microsoft stores the most recent language used in the browser cache, so subsequent attempts to access the pages continue to render in the last language used. If you clear the cache, the pages re-render.

If you want to force a specific language, you can add ?lng=<language> to the end of the URL, where <language> is the code of the language you want to render.

Combined registration for SSPR and Azure AD Multi-Factor Authentication - Azure Active Directory - Microsoft Entra (2)

Methods available in combined registration

Combined registration supports the authentication methods and actions in the following table.

MethodRegisterChangeDelete
Microsoft AuthenticatorYes (maximum of 5)NoYes
Other authenticator appYes (maximum of 5)NoYes
Hardware tokenNoNoYes
PhoneYesYesYes
Alternate phoneYesYesYes
Office phone*YesYesYes
EmailYesYesYes
Security questionsYesNoYes
App passwords*YesNoYes
FIDO2 security keys*YesNoYes

Note

Office phone can only be registered in Interrupt mode if the users Business phone property has been set. Office phone can be added by users in Managed mode from the Security info without this requirement.
App passwords are available only to users who have been enforced for Azure AD Multi-Factor Authentication. App passwords are not available to users who are enabled for Azure AD Multi-Factor Authentication by a Conditional Access policy.
FIDO2 security keys, can only be added in Managed mode only from the Security info page

(Video) How to enable and configure SSPR in Azure AD

Users can set one of the following options as the default multifactor authentication method.

  • Microsoft Authenticator – push notification or passwordless
  • Authenticator app or hardware token – code
  • Phone call
  • Text message

Note

Virtual phone numbers are not supported for Voice calls or SMS messages.

Third party authenticator apps do not provide push notification. As we continue to add more authentication methods to Azure AD, those methods become available in combined registration.

Combined registration modes

There are two modes of combined registration: interrupt and manage.

  • Interrupt mode is a wizard-like experience, presented to users when they register or refresh their security info at sign-in.
  • Manage mode is part of the user profile and allows users to manage their security info.

For both modes, users who have previously registered a method that can be used for Azure AD Multi-Factor Authentication need to perform multifactor authentication before they can access their security info. Users must confirm their information before continuing to use their previously registered methods.

Interrupt mode

Combined registration adheres to both multifactor authentication and SSPR policies, if both are enabled for your tenant. These policies control whether a user is interrupted for registration during sign-in and which methods are available for registration. If only an SSPR policy is enabled, then users will be able to skip (indefinitely) the registration interruption and complete it at a later time.

The following are sample scenarios where users might be prompted to register or refresh their security info:

(Video) How to upgrade your security with Azure Multi-Factor Authentication

  • Multifactor Authentication registration enforced through Identity Protection: Users are asked to register during sign-in. They register multifactor authentication methods and SSPR methods (if the user is enabled for SSPR).
  • Multifactor Authentication registration enforced through per-user multifactor authentication: Users are asked to register during sign-in. They register multifactor authentication methods and SSPR methods (if the user is enabled for SSPR).
  • Multifactor Authentication registration enforced through Conditional Access or other policies: Users are asked to register when they use a resource that requires multifactor authentication. They register multifactor authentication methods and SSPR methods (if the user is enabled for SSPR).
  • SSPR registration enforced: Users are asked to register during sign-in. They register only SSPR methods.
  • SSPR refresh enforced: Users are required to review their security info at an interval set by the admin. Users are shown their info and can confirm the current info or make changes if needed.

When registration is enforced, users are shown the minimum number of methods needed to be compliant with both multifactor authentication and SSPR policies, from most to least secure. Users going through combined registration where both MFA and SSPR registration is enforced and the SSPR policy requires two methods will first be required to register an MFA method as the first method and can select another MFA or SSPR specific method as the second registered method (e.g. email, security questions etc.)

Consider the following example scenario:

  • A user is enabled for SSPR. The SSPR policy requires two methods to reset and has enabled Authenticator app, email, and phone.
  • When the user chooses to register, two methods are required:
    • The user is shown Authenticator app and phone by default.
    • The user can choose to register email instead of Authenticator app or phone.

The following flowchart describes which methods are shown to a user when interrupted to register during sign-in:

Combined registration for SSPR and Azure AD Multi-Factor Authentication - Azure Active Directory - Microsoft Entra (3)

If you have both multifactor authentication and SSPR enabled, we recommend that you enforce multifactor authentication registration.

If the SSPR policy requires users to review their security info at regular intervals, users are interrupted during sign-in and shown all their registered methods. They can confirm the current info if it's up to date, or they can make changes if they need to. Users must perform multi-factor authentication when accessing this page.

Manage mode

Users can access manage mode by going to https://aka.ms/mysecurityinfo or by selecting Security info from My Account. From there, users can add methods, delete or change existing methods, change the default method, and more.

Key usage scenarios

Set up security info during sign-in

An admin has enforced registration.

A user has not set up all required security info and goes to the Azure portal. After the user enters the user name and password, the user is prompted to set up security info. The user then follows the steps shown in the wizard to set up the required security info. If your settings allow it, the user can choose to set up methods other than those shown by default. After users complete the wizard, they review the methods they set up and their default method for multifactor authentication. To complete the setup process, the user confirms the info and continues to the Azure portal.

Set up security info from My Account

An admin has not enforced registration.

A user who hasn't yet set up all required security info goes to https://myaccount.microsoft.com. The user selects Security info in the left pane. From there, the user chooses to add a method, selects any of the methods available, and follows the steps to set up that method. When finished, the user sees the method that was set up on the Security info page.

(Video) 26. Setup Passwordless sign in in Azure AD using Microsoft Authenticator App

Set up other methods after partial registration

If a user has partially satisfied MFA or SSPR registration due to existing authentication method registrations performed by the user or admin, users will only be asked to register additional information allowed by the Authentication methods policy settings when registration is required. If more than one other authentication method is available for the user to choose and register, an option on the registration experience titled I want to set up another method will be shown and allow the user to set up their desired authentication method.

Combined registration for SSPR and Azure AD Multi-Factor Authentication - Azure Active Directory - Microsoft Entra (4)

Delete security info from My Account

A user who has previously set up at least one method navigates to https://aka.ms/mysecurityinfo. The user chooses to delete one of the previously registered methods. When finished, the user no longer sees that method on the Security info page.

Change the default method from My Account

A user who has previously set up at least one method that can be used for multifactor authentication navigates to https://aka.ms/mysecurityinfo. The user changes the current default method to a different default method. When finished, the user sees the new default method on the Security info page.

Switch directory

An external identity such as a B2B user may need to switch the directory to change the security registration information for a third-party tenant.In addition, users who access a resource tenant may be confused when they change settings in their home tenant but don't see the changes reflected in the resource tenant.

For example, a user sets Microsoft Authenticator app push notification as the primary authentication to sign-in to home tenant and also has SMS/Text as another option.This user is also configured with SMS/Text option on a resource tenant.If this user removes SMS/Text as one of the authentication options on their home tenant, they get confused when access to the resource tenant asks them to respond to SMS/Text message.

To switch the directory in the Azure portal, click the user account name in the upper right corner and click Switch directory.

Combined registration for SSPR and Azure AD Multi-Factor Authentication - Azure Active Directory - Microsoft Entra (5)

Or, you can specify a tenant by URL to access security information.

https://mysignins.microsoft.com/security-info?tenant=<Tenant Name>

https://mysignins.microsoft.com/security-info/?tenantId=<Tenant ID>

(Video) Azure - How to revoke or re-register a users MFA in azure

Next steps

To get started, see the tutorials to enable self-service password reset and enable Azure AD Multi-Factor Authentication.

Learn how to enable combined registration in your tenant or force users to re-register authentication methods.

You can also review the available methods for Azure AD Multi-Factor Authentication and SSPR.

FAQs

How do I enable combined registration for SSPR and MFA? ›

Go to User–>User settings–>Choose the setting “Manage user preview settings”. Under the option “Users can use the combined security information registration experience” choose “All” and then click “Save”. At the next login via the web portal, users should be prompted if they have not set up MFA/SSPR.

Which three authentication types support both SSPR and MFA? ›

SMS and Voice call are both available for MFA usage, as well as SSPR usage; but app passwords can only be used for MFA – and even in those cases, it can only be used in certain conditions. The Azure AD password is considered an authentication method. It's the only authentication method that cannot be disabled.

Is MFA required for SSPR? ›

Users going through combined registration where both MFA and SSPR registration is enforced and the SSPR policy requires two methods will first be required to register an MFA method as the first method and can select another MFA or SSPR specific method as the second registered method (e.g. email, security questions etc. ...

How do I register my SSPR in Azure AD? ›

Sign in to the Azure portal. Search for and select Azure Active Directory, then select Password reset from the menu on the left side. From the Properties page, under the option Self service password reset enabled, select None. To apply the SSPR change, select Save.

Can you use SSPR self-service password reset with Microsoft authenticator? ›

Mobile app and SSPR

When using a mobile app as a method for password reset, like the Microsoft Authenticator app, the following considerations apply: When administrators require one method be used to reset a password, verification code is the only option available.

How do I enable combined registration? ›

Enable combined registration

Go to Azure Active Directory > User settings > Manage user feature settings. Under Users can use the combined security information registration experience, choose to enable for a Selected group of users or for All users.

What are the three 3 main types of authentication? ›

Authentication factors can be classified into three groups: something you know: a password or personal identification number (PIN); something you have: a token, such as bank card; something you are: biometrics, such as fingerprints and voice recognition.

What are the two types of authentication Microsoft Azure Active Directory users? ›

Microsoft offers the following three passwordless authentication options that integrate with Azure Active Directory (Azure AD): Windows Hello for Business. Microsoft Authenticator app. FIDO2 security keys.

What is the strongest form of multi-factor authentication? ›

Physical Security Key (Hardware Token) The strongest level of 2FA online account protection and the best phishing attack prevention is a physical security key.

What licenses do you need to enable Multi-Factor Authentication? ›

Azure MFA requires Users to have Azure AD Premium P1 or P2 License.

What license is required for SSPR? ›

If you are planning for SSPR for Cloud users, then you will need to have an Azure AD Basic, Premium P1 or P2, or a Microsoft 365 Business subscription. If you are synchronizing your users from your on-premises Active Directory, then you will need an Azure AD Premium P1 or P2 or a Microsoft 365 Business subscription.

What is SSPR and MFA? ›

Multi-Factor Authentication (MFA) and Self-Service Password Reset (SSPR)

Does self-service password reset require MFA? ›

Self-Service Password Reset (SSPR) allows you to reset your Microsoft 365 account password yourself by confirming your identity with the MFA method. This avoids a call to the service desk to reset your password. To register for MFA and Self-Service Password Resets, follow the steps below.

When you enable SSPR for your Azure AD organization? ›

When SSPR is enabled, users can only reset their password if they have data present in the authentication methods that the administrator has enabled. Methods include phone, Authenticator app notification, security questions, etc.

How can you force users to register for Azure AD MFA? ›

This is a good first step when troubleshooting Multi-Factor Authentication end user issues.
  1. Sign in to the Azure portal.
  2. On the left, select Azure Active Directory > Users > All Users.
  3. Choose the user you wish to perform an action on and select Authentication Methods.
  4. Click Require re-register MFA and save.

Does SSPR require password writeback? ›

For the requirement that you have, you will have to enable password writeback in AD Connect and then configure SSPR. Under SSPR options, you can add a group and only members of that group would be able to reset the password.

What is Microsoft Entra? ›

Microsoft Entra is the new name for the family of identity and access technologies now brought into one place and under one portal. Entra goes beyond traditional identity and access management – it's Microsoft's vision for the future of identity and access.

Can I use Microsoft authenticator as a password manager? ›

The best password manager: Business and personal use

Microsoft Authenticator can generate, store, and apply passwords at websites via an autofill feature. Beyond supporting iOS, iPadOS, and Android devices, the autofill option works in the desktop flavors of Google Chrome and Microsoft Edge via an extension.

What does SSPR registered mean? ›

Self-service password reset (SSPR) is a solution that provides an automated process that allows end users to reset or regain access to their account password without help desk involvement by proving their identity via alternative means.

What authentication and verification methods are available in Azure Active Directory? ›

How each authentication method works
MethodPrimary authenticationSecondary authentication
Microsoft Authenticator appYesMFA and SSPR
FIDO2 security keyYesMFA
Certificate-based authentication (preview)YesNo
OATH hardware tokens (preview)NoMFA and SSPR
5 more rows
Sep 7, 2022

Which three authentication methods can Azure AD users use to reset their password? ›

Authentication Methods in Azure

For SSPR, the following authentication mechanisms are available: Mobile app notification. Mobile app code. Email.

Which three authentication methods can be used by Azure MFA? ›

Available verification methods

The following additional forms of verification can be used with Azure AD Multi-Factor Authentication: Microsoft Authenticator app. Windows Hello for Business. FIDO2 security key.

What are those 4 commonly authentication methods *? ›

Common biometric authentication methods include fingerprint identification, voice recognition, retinal and iris scans, and face scanning and recognition.

Which of the following two-factor authentication verification methods are available in Azure AD? ›

MFA works in Azure Active Directory by requiring two or more of the following authentication methods: A password. A trusted device that's not easily duplicated, like a phone or hardware key. Biometrics like a fingerprint or face scan.

What are the three main identity models Azure Active Directory users to manage user authentication in Office 365? ›

Office 365 uses the cloud-based user authentication service Azure Active Directory to manage users and offers three identity models: cloud-only, synchronized, and federated.

What are the disadvantages of multi-factor authentication? ›

What are the disadvantages of multi-factor authentication?
  • Multi-factor authentication takes more time. Not only does having to enter two or more forms of authentication add time to a process, but the set-up itself can be time-consuming. ...
  • MFA isn't free. A business can't set up multi-factor authentication by themselves.

Which two-factor authentication is best? ›

Let's check out the six best 2FA apps for securing your online accounts.
  1. Google Authenticator. 4 Images. ...
  2. Microsoft Authenticator. 6 Images. ...
  3. LastPass Authenticator. 4 Images. ...
  4. Twilio Authy Authenticator. Authy. ...
  5. iOS 15, iPadOS 15, and macOS Monterey. 4 Images. ...
  6. Step Two is another Apple-centric 2FA app.
Sep 24, 2022

What is the safest authentication method? ›

1. Biometric Authentication Methods. Biometric authentication relies on the unique biological traits of a user in order to verify their identity. This makes biometrics one of the most secure authentication methods as of today.

Is multi factor authentication mandatory? ›

Partners are required to enforce MFA for all user accounts in their partner tenant, including guest users.

What license is required for Azure MFA? ›

The documentation also says, "Using this feature requires an Azure AD Premium P1 license", which means that it's required for any user who makes use of the feature.

How much does multi factor authentication cost? ›

Azure Multi-Factor Authentication Pricing
NamePrice
Per User$1.40per month
Per authentication$1.40per month

What is minimum Azure AD license required for enabling SSPR? ›

Standalone Microsoft 365 Basic and Standard licensing plans don't support SSPR with on-premises writeback. The on-premises writeback feature requires Azure AD Premium P1, Premium P2, or Microsoft 365 Business Premium.

How do I force a user to register for SSPR? ›

Simply ask your users to register using https://aka.ms/mfasetup or https://aka.ms/setupsecurityinfo. SSPR registration policy. Since the registration of MFA and SSPR can be combined these days, you could use this policy to get your users registered at the next sign-in. Identity Protection MFA registration policy.

How do I register with SSPR portal? ›

  1. Click the “Register to use SSPR” button on this page or from the Password Help Center to be directed to the Self-Service Password Reset (SSPR) registration page. ...
  2. Enter your FIT email address and click the “Next” button. ...
  3. Enter your FIT password and click the “Sign in” button.
Jun 9, 2021

Is MFA mandatory for SSPR? ›

Users going through combined registration where both MFA and SSPR registration is enforced and the SSPR policy requires two methods will first be required to register an MFA method as the first method and can select another MFA or SSPR specific method as the second registered method (e.g. email, security questions etc. ...

Can you use SSPR self service password reset with Microsoft authenticator? ›

Mobile app and SSPR

When using a mobile app as a method for password reset, like the Microsoft Authenticator app, the following considerations apply: When administrators require one method be used to reset a password, verification code is the only option available.

What happens with MFA if I lose my phone? ›

If you've lost access to your primary phone, you can verify it's you with: Another phone signed in to your Google Account. Another phone number you've added in the 2-Step Verification section of your Google Account. A backup code you previously saved.

How do attackers bypass MFA? ›

MFA bypass via proxy attacks

In a proxy attack, the phishing site sits between the user and the target website. The phishing site passes relevant web pages and data, including passwords and multifactor authentication, back and forth between the user and the target site.

What are the three types of role based access controls in Microsoft Azure? ›

The way you control access to resources using Azure RBAC is to assign Azure roles. This is a key concept to understand – it's how permissions are enforced. A role assignment consists of three elements: security principal, role definition, and scope.

What is are the license requirement s for Azure AD SSPR writeback in an Azure AD tenant? ›

Password Writeback License Requirements

Because to use the feature you will need to have at least Azure AD Premium P1 plan in your Microsoft 365 license. The plan can be bought separately as an add-on, but it's also part of the following license plans: Microsoft Business Premium.

How do I enable MFA in conditional access? ›

Sign in to the Azure portal as a Conditional Access Administrator, Security Administrator, or Global Administrator.
...
Named locations
  1. Under Assignments, select Conditions > Locations. Configure Yes. Include Any location. Exclude All trusted locations. Select Done.
  2. Select Done.
  3. Save your policy changes.
Nov 3, 2022

How to enable Multifactor authentication in Active Directory? ›

Enable the trusted IPs feature by using service settings
  1. In the Azure portal, search for and select Azure Active Directory, and then select Users.
  2. Select Per-user MFA.
  3. Under multi-factor authentication at the top of the page, select service settings.
  4. Select Save.
Aug 25, 2022

What is the difference between enabled and enforced MFA? ›

Enabled: The user has been enrolled in MFA but has not completed the registration process. They will be prompted to complete the registration process the next time they sign in. Enforced: The user has been enrolled and has completed the MFA registration process.

Can you have both SSO and MFA? ›

SSO: How Do MFA and SSO Work Together? MFA and SSO are not mutually exclusive. As a matter of fact, you can combine these two technologies to provide your users with high security while ensuring a good user experience. MFA can add an extra layer of protection to the SSO logins of your users.

Do we have to enable MFA at both the SSO and Salesforce levels? ›

Do we have to enable MFA at both the SSO and Salesforce levels? No. If MFA is enabled for your SSO identity provider, you don't need to enable Salesforce's MFA for users who log in via SSO.

How do I enable multi-factor authentication on my MFA? ›

Choose the Security Credentials tab. Under Multi-factor authentication (MFA), choose Assign MFA device. In the Select MFA device wizard, type a Device name, choose Authenticator app, and then choose Next. IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic.

How do I activate two factor authentication code? ›

Allow 2-Step Verification
  1. Open your Google Account.
  2. In the navigation panel, select Security.
  3. Under “Signing in to Google,” select 2-Step Verification. Get started.
  4. Follow the on-screen steps.

What is the difference between 2 factor authentication and multi factor authentication? ›

MFA vs 2FA. So, two-factor authentication (2FA) requires users to present two types of authentication, while MFA requires users to present at least two, if not more types of authentication. This means that all 2FA is an MFA, but not all MFA is a 2FA.

What is the difference between SSO and seamless SSO? ›

Single sign on (SSO) is an authentication method that lets you use a single username and password to access multiple applications. Seamless SSO occurs when a user is automatically signed into their connected applications when they're on corporate desktops connected to the corporate network.

Can you use MFA with service accounts? ›

If your service account is MFA-enabled, you need to use either the Conditional Access or Trusted IP feature in Microsoft 365 to bypass MFA. Once you have configured one of these features, proceed to configure the service account in M365 Manager Plus.

Is Microsoft forcing MFA? ›

Admins will always be prompted for MFA on login. Users will be prompted for MFA "when necessary" (this is not strictly defined by Microsoft but includes when users show up on a new device or app, and for critical roles and tasks). Access to Azure portal, Azure CLI or Azure PowerShell by anyone will always require MFA.

What triggers Microsoft MFA? ›

Yes, MFA would be triggered after a successful O365 primary authentication. Since you are able to verify that MFA is enabled after you sign in, it's not necessary to discuss other scenarios. If you have any further concern, we suggest you post to TechNet for dedicated assistance.

Does MFA have 2 factor authentication? ›

Two-factor authentication is a form of MFA. Technically, it is in use any time two authentication factors are required to gain access to a system or service. However, using two factors from the same category doesn't constitute 2FA.

Which methods can be used to implement multifactor authentication? ›

Which methods can be used to implementmultifactor authentication? IDS and IPStokens and hashesVPNs and VLANspasswords and fingerprints*Explanation:A cybersecurity specialist must be aware of the technologies available thatsupport the CIA triad.

What combination of authentication factors will qualify as multifactor authentication? ›

Multifactor authentication combines two or more independent credentials: what the user knows, such as a password; what the user has, such as a security token; and what the user is, by using biometric verification methods.

Can you bypass 2 factor authentication? ›

Another social engineering technique that is becoming popular is known as “consent phishing”. This is where hackers present what looks like a legitimate OAuth login page to the user. The hacker will request the level of access they need, and if access is granted, they can bypass MFA verification.

How do you find the 6 digit code for two-factor authentication? ›

You need to install the Google Authenticator app on your smart phone or tablet devices. It generates a six-digit number, which changes every 30 seconds. With the app, you don't have to wait a few seconds to receive a text message.

Which three methods can be used to deliver the token code to a user who is configured to use two-factor authentication? ›

Choose to get codes via phone (SMS text), authentication app, or with a physical security key (or any combination of the three).

Videos

1. Register and manage your security information | Azure Active Directory
(Microsoft Azure)
2. 04 SSPR with and Without Combined Registration
(Brian Reid)
3. 31. Enable the Registration Campaign Policy to set up Microsoft Authenticator in Azure AD
(MSFT WebCast)
4. How to deploy Multi Factor Authentication MFA and avoid the pitfalls!
(Andy Malone MVP)
5. How to register your security information for Azure Active Directory
(Microsoft Azure)
6. Azure Active Directory (AD, AAD) Tutorial | Identity and Access Management Service
(Adam Marczak - Azure for Everyone)
Top Articles
Latest Posts
Article information

Author: Jamar Nader

Last Updated: 01/27/2023

Views: 6188

Rating: 4.4 / 5 (75 voted)

Reviews: 82% of readers found this page helpful

Author information

Name: Jamar Nader

Birthday: 1995-02-28

Address: Apt. 536 6162 Reichel Greens, Port Zackaryside, CT 22682-9804

Phone: +9958384818317

Job: IT Representative

Hobby: Scrapbooking, Hiking, Hunting, Kite flying, Blacksmithing, Video gaming, Foraging

Introduction: My name is Jamar Nader, I am a fine, shiny, colorful, bright, nice, perfect, curious person who loves writing and wants to share my knowledge and understanding with you.