I'm considering implementing Self-Service Password Reset (SSPR) for around 10,000 users in my company this summer. However, I'm a bit hesitant about letting users reset their passwords on non-managed devices. Many employees have the authenticator app on their personal devices, which are registered but not managed by the company. Is there a way to set up parameters so users can approve multi-factor authentication (MFA) requests on their personal devices but are restricted from resetting their passwords unless they're using a company-managed device that meets Intune compliance?
2 Answers
The SSPR process doesn't directly access data, so tying it to only managed devices may not significantly bolster security. The initial registration for MFA definitely needs to occur on a trusted device or trusted location, though.
It's understandable to have concerns. When you enable SSPR, you choose authentication methods, so passing MFA is a requirement. To enhance security, consider applying a Conditional Access (CA) policy that mandates users can only register security methods on devices that are either hybrid or Entra joined and compliant.
So, would that mean if someone registers from a personal device, they could potentially reset their password from there?