New features keeps coming to Conditional Access at staggering pace. Microsoft just published new controls for persistent browser sessions and sign-in frequency. New addition came just last week:
- Register Security Information
What’s the Purpose of this setting?
Many customers have been requested to allow end-users to register security information only from trusted locations. This prevents bad guys to register or change hacked account registration information which is used for authentication on behalf of the user.
Configuring Conditional Access Policy
- Users and Groups: Select first only scope of users where to target policy
- Cloud Apps and Actions: Register security information
- Conditions: Configure any location and exclude trusted networks (verify that trusted networks have been configured properly)
- Access Controls: Block Access
How It Looks In Action
Scenario 1 – Login to from trusted network
Login to aka.ms/mfasetup from one of the trusted network with my test machine.
More information is required as expected
Registration process is normal and not covered in here, at end of the process you will see your account registration details. In my case Microsoft Authenticator is the primary 2FA authentication method.
Login from un-trusted network
Then switched to Tor network which is naturally not trusted in this scenario.
CA policy kicks-in and registration is not allowed.
From Azure AD logs we can see why it fails: “Access has been blocked due to conditional access policies”
Scenario 2 – Login with Guest User
Works like a charm when Guest user is affected by CA policy
Azure AD logs information is a bit different comparing to organizational user. Registering is enforced but user is not able to perform the registration from un-trusted network.
Scenario 3 – Login with Organizational User – Sign-in Risk Demanding Factor
In last scenario the I relay to Identity Protection capabilities and use user sign-in risk policy to make a decision is user able to get access to registration process.
Again, opened my favorite browser for testing purpses (Tor) and navigate to aka.ms/mfasetup. As you can see, sign-in was blocked
This feature is very welcome among other new Conditional Access features. Keep in mind that when to start using the CA policies it’s important to plan them carefully and take into consideration service dependencies, read more from here.