New features keeps coming to Conditional Access at staggering pace. Microsoft just published new controls for persistent browser sessions and sign-in frequency. New addition came just last week:

  • Register Security Information

What’s the Purpose of this setting?

Many customers have been requested to allow end-users to register security information only from trusted locations. This prevents bad guys to register or change hacked account registration information which is used for authentication on behalf of the user.

Configuration

Configuring Conditional Access Policy

  • Users and Groups: Select first only scope of users where to target policy
  • Cloud Apps and Actions: Register security information
  • Conditions: Configure any location and exclude trusted networks (verify that trusted networks have been configured properly)
  • Access Controls: Block Access

How It Looks In Action

Scenario 1 – Login to from trusted network

Login to aka.ms/mfasetup from one of the trusted network with my test machine.

More information is required as expected

Registration process is normal and not covered in here, at end of the process you will see your account registration details. In my case Microsoft Authenticator is the primary 2FA authentication method.

Login from un-trusted network

Then switched to Tor network which is naturally not trusted in this scenario.

CA policy kicks-in and registration is not allowed.

From Azure AD logs we can see why it fails: “Access has been blocked due to conditional access policies”

Scenario 2 – Login with Guest User

Works like a charm when Guest user is affected by CA policy

Azure AD logs information is a bit different comparing to organizational user. Registering is enforced but user is not able to perform the registration from un-trusted network.

Scenario 3 – Login with Organizational User – Sign-in Risk Demanding Factor

In last scenario the I relay to Identity Protection capabilities and use user sign-in risk policy to make a decision is user able to get access to registration process.

Again, opened my favorite browser for testing purpses (Tor) and navigate to aka.ms/mfasetup. As you can see, sign-in was blocked

Summary

This feature is very welcome among other new Conditional Access features. Keep in mind that when to start using the CA policies it’s important to plan them carefully and take into consideration service dependencies, read more from here.