The Combined Registration Experience with SSPR and MFA
Is your organisation getting ready to roll out both Self-Service Password Reset (SSPR) and Multi-Factor Authentication (MFA)? Or maybe just one or the other? Maybe you’ve already rolled out MFA, but not SSPR or vice versa. Users are required to register their accounts before they can use these features. In the past, this would have required them to register twice, once for MFA and once for SSPR. Beginning in 2020, Microsoft introduced the “combined security registration experience,” and with this, Microsoft enabled users to have a one-time registration experience for both MFA and SSPR.
Starting September 30th, 2022, Microsoft will be enabling all tenants to register their security information through the combined registration experience. This article will take you through some of the parts of the combined registration experience.
First, let’s have a quick review of MFA and SSPR:
- MFA is Microsoft’s two-factor authentication solution provided as part of Azure AD. MFA is used to verify users who are attempting to login to validate that they are who they say they are.
- To use MFA, one must register with the service. Once completed, and depending on the policies configured by your organisation, users will need to verify authentication through MFA.
- Users can enable the following options for the default MFA method:
- MFA – push notification – user receives a push notification from the Microsoft Authenticator App, which is freely available from the iOS and Android stores
- Token code – from the Authenticator App or a hardware token (this is a good option if you are in an area where your cellular service is limited, such as on an airplane)
- Phone call – Microsoft will call you to approve the authentication request
- SMS– Microsoft will send an SMS message to you with a code
- Azure MFA also be used to perform multi-factor authentication for other services besides your work email, OneDrive, etc.
- SSPR is a feature that is part of Azure AD enabling users to change or reset their passwords, taking the workloads from IT administrators (“Hello IT, my password isn’t working.”)
- SSPR comes free for cloud accounts but requires Azure AD Premium P1 licenses for any synced account and some extra work to enable it from Azure AD Connect.
- SSPR requires the user to register their account using a similar method to the MFA registration experience. Once registered, they will be able to reset their Azure AD/M365 password and, for any synced accounts, the password change will sync back to their on-premises Active Directory account.
Combined Registration Experience
The combined registration experience comes with two modes: interrupt and manage.
Manage mode allows the user to manage their security info as part of their user profile. The users can go to their security info page from their My Account site and adjust their methods such as adding, deleting or changing existing registration methods.
Interrupt mode is a wizard driven experience which walks users through registration. Once enrolled in a policy, it interrupts users when they log in until they’ve completed their registration. For example, the next time a user signs into M365, it will ask them to register and, if MFA and SSPR are enabled for that user, the registration will be complete.
Interrupt Mode Workflow:
If you would like any further information or need help navigating MFA and SSPR, Insentra can assist in onboarding your users’ combined registration experience. Please contact Insentra for more information on this feature and how it can serve your organisation.
While you’re here, why don’t you check out my colleague’s blog article about some changes to MFA requirements for phone numbers and Azure AD!