I recently set up a Conditional Access (CA) policy to ensure that Multi-Factor Authentication (MFA) registration takes place from a trusted network. Overall, it seems to work well, but I didn't anticipate that Microsoft periodically needs users to verify their MFA login details. I thought this CA policy only applied to initial registration. Now, after an extended period post-registration, users are calling from home and finding themselves unable to log in because Microsoft pushes them back into registration, which can only happen from trusted locations and not from their home networks. This is really frustrating and increasing the volume of calls to our help desk. Has anyone else encountered this issue? Any suggestions on how to resolve it?
6 Answers
Why implement such a strict policy in the first place?
You could either exclude the re-registration process from your CA policy or designate home networks as trusted, but that might undermine your security goals. It really boils down to choosing which inconvenience you prefer.
I'm puzzled why you're experiencing mandatory re-registration; we've set it up the same way and haven’t encountered issues. It might be related to some managed policies from Microsoft that we're preventing by disabling those settings.
Consider changing the re-confirmation setting to occur less frequently, like every 180 days. I personally think maintaining strict security is important, especially since we enforce MFA and Self-Service Password Reset (SSPR) only from trusted networks.
It's crucial that your CA policy meets regulatory requirements, if applicable. If that’s the case, what specific requirements are you trying to fulfill?
It’s mainly about stopping bad actors from registering unauthorized MFA devices on user accounts if they get access.
Can users perform the re-registration process if they're connected through your VPN IP range?

It’s likely due to the SSPR settings requiring users to verify their recovery factors periodically—some organizations set this to every 180 or 365 days. You might want to disable that if it's causing problems.