MFA Registration Challenges: Anyone Else Facing This?

0
9
Asked By TechExplorer42 On

I recently set up a Conditional Access (CA) policy to ensure that Multi-Factor Authentication (MFA) registration takes place from a trusted network. Overall, it seems to work well, but I didn't anticipate that Microsoft periodically needs users to verify their MFA login details. I thought this CA policy only applied to initial registration. Now, after an extended period post-registration, users are calling from home and finding themselves unable to log in because Microsoft pushes them back into registration, which can only happen from trusted locations and not from their home networks. This is really frustrating and increasing the volume of calls to our help desk. Has anyone else encountered this issue? Any suggestions on how to resolve it?

6 Answers

Answered By ITSupportHero On

Why implement such a strict policy in the first place?

Answered By CloudGuru88 On

You could either exclude the re-registration process from your CA policy or designate home networks as trusted, but that might undermine your security goals. It really boils down to choosing which inconvenience you prefer.

Answered By SysAdminPro65 On

I'm puzzled why you're experiencing mandatory re-registration; we've set it up the same way and haven’t encountered issues. It might be related to some managed policies from Microsoft that we're preventing by disabling those settings.

CloudGuru88 -

It’s likely due to the SSPR settings requiring users to verify their recovery factors periodically—some organizations set this to every 180 or 365 days. You might want to disable that if it's causing problems.

Answered By SecurityWhiz70 On

Consider changing the re-confirmation setting to occur less frequently, like every 180 days. I personally think maintaining strict security is important, especially since we enforce MFA and Self-Service Password Reset (SSPR) only from trusted networks.

Answered By NetworkNinja99 On

It's crucial that your CA policy meets regulatory requirements, if applicable. If that’s the case, what specific requirements are you trying to fulfill?

TechExplorer42 -

It’s mainly about stopping bad actors from registering unauthorized MFA devices on user accounts if they get access.

Answered By VPNExpert22 On

Can users perform the re-registration process if they're connected through your VPN IP range?

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.