At our last Mindcore Tech event, we took a closer look at Self-service Password reset in Azure AD.
One question we did not have the time to pursue, was how to only allow entering security information from a trusted location.
We have SSPR setup and users are required to setup security information at first logon as explained here:
In this test we will only allow entering security information from our company IP address.
First we create a new user to use for this test (blockuser).
Blockuser will be added to the AD group pwdresetgrp, because this is the group we used in the previous post about SSPR, we will also use this group for the conditional access policy.
Next step is to create a new Conditional Access Policy in Azure AD.
Name the policy and in Users and groups select the group pwdresetgrp to be included in this policy.
In Cloud apps or actions select user actions and Register security information.
In Conditions select locations and include Any location.
We will exclude our Company IP address (Mindcore location) and trusted MFA IPs.
Select to block access.
Then enable the policy and create.
In this example the location Mindcore is created as an IP address range.
Now let try from an unknown IP address and do a first time login with the user blockuser.
We will still see the More information required.
But since this is an untrusted location we will get You cannot access this right now.
Changing location to a secure location (Mindcore IP address), we will see this instead:
Mindcore Tech https://www.linkedin.com/groups/12247201/