Enable combined security information registration in Azure Active Directory

Before combined registration, users registered authentication methods for Azure Multi-Factor Authentication and self-service password reset (SSPR) separately. People were confused that similar methods were used for Azure Multi-Factor Authentication and SSPR but they had to register for both features. Now, with combined registration, users can register once and get the benefits of both Azure Multi-Factor Authentication and SSPR.

Before enabling the new experience, review the article Combined security information registration to ensure you understand the functionality and effects of this feature.

Combined security information registration enhanced experience

Enable combined registration

Complete these steps to enable combined registration:

  1. Sign in to the Azure portal as a user administrator or global administrator.

  2. Go to Azure Active Directory > User settings > Manage user feature preview settings.

  3. Under Users can use the combined security information registration experience, choose to enable for a Selected group of users or for All users.

    Enable the combined security info experience for users

Note

After you enable combined registration, users who register or confirm their phone number or mobile app through the new experience can use them for Azure Multi-Factor Authentication and SSPR, if those methods are enabled in the Azure Multi-Factor Authentication and SSPR policies. If you then disable this experience, users who go to the previous SSPR registration page at https://aka.ms/ssprsetup will be required to perform multi-factor authentication before they can access the page.

If you have configured the Site to Zone Assignment List in Internet Explorer, the following sites have to be in the same zone:

Conditional Access policies for combined registration

Securing when and how users register for Azure Multi-Factor Authentication and self-service password reset is now possible with user actions in Conditional Access policy. This feature is available to organizations who have enabled the combined registration feature. This functionality may be enabled in organizations where they want users to register for Azure Multi-Factor Authentication and SSPR from a central location such as a trusted network location during HR onboarding.

For more information about creating trusted locations in Conditional Access, see the article What is the location condition in Azure Active Directory Conditional Access?

Create a policy to require registration from a trusted location

The following policy applies to all selected users that attempt to register using the combined registration experience, and blocks access unless they are connecting from a location marked as trusted network.

  1. In the Azure portal, browse to Azure Active Directory > Security > Conditional Access.

  2. Select + New policy.

  3. Enter a name for this policy, such as Combined Security Info Registration on Trusted Networks.

  4. Under Assignments, select Users and groups. Choose the users and groups you want this policy to apply to, then select Done.

    Warning

    Users must be enabled for combined registration.

  5. Under Cloud apps or actions, select User actions. Check Register security information, then select Done.

    Create a conditional access policy to control security info registration

  6. Under Conditions > Locations, configure the following options:

    1. Configure Yes.
    2. Include Any location.
    3. Exclude All trusted locations.
  7. Select Done on the Locations window, then select Done on the Conditions window.

  8. Under Access controls > Grant, choose Block access, then Select.

  9. Set Enable policy to On.

  10. To finalize the policy, select Create.

Next steps

If you need help, see how to troubleshoot combined security info registration or learn What is the location condition in Azure Active Directory Conditional Access?

To enable the features in your Azure AD tenant, see the tutorials to enable self-service password reset and enable Azure Multi-Factor Authentication.

Learn how to force users to re-register authentication methods.

You can also review the available methods for Azure Multi-Factor Authentication and SSPR.