Enable combined security information registration (preview)
Before enabling the new experience, review the article Combined security information registration (preview) to ensure you understand the functionality and effects of this feature.
Organizations who enabled the previous preview for registering and managing security info should complete the steps below to enable the enhanced preview experience. For organizations who do not make the switch, on October 8, 2019, Microsoft will switch users of the previous preview for registering and managing security info to the enhanced experience.
If you have not enabled any version of the preview your organization will not be impacted.
Enable combined registration
Complete these steps to enable combined registration:
Sign in to the Azure portal as a user administrator or global administrator.
Go to Azure Active Directory > User settings > Manage settings for access panel preview features.
Under Users can use preview features for registering and managing security info - refresh, choose to enable for a Selected group of users or for All users.
Starting in March 2019, the phone call options won't be available to Multi-Factor Authentication and SSPR users in free/trial Azure AD tenants. SMS messages are not affected by this change. The phone call options will still be available to users in paid Azure AD tenants.
After you enable combined registration, users who register or confirm their phone number or mobile app through the new experience can use them for Multi-Factor Authentication and SSPR, if those methods are enabled in the Multi-Factor Authentication and SSPR policies. If you then disable this experience, users who go to the previous SSPR registration page at
https://aka.ms/ssprsetup will be required to perform multi-factor authentication before they can access the page.
If you have configured the Site to Zone Assignment List in Internet Explorer, the following sites have to be in the same zone:
Conditional Access policies for combined registration
Securing when and how users register for Azure Multi-Factor Authentication and self-service password reset is now possible with user actions in Conditional Access policy. This preview feature is available to organizations who have enabled the combined registration preview. This functionality may be enabled in organizations where they want users to register for Azure Multi-Factor Authentication and SSPR from a central location such as a trusted network location during HR onboarding. For more information about creating trusted locations in Conditional Access, see the article What is the location condition in Azure Active Directory Conditional Access?
Create a policy to require registration from a trusted location
The following policy applies to all selected users, who attempt to register using the combined registration experience, and blocks access unless they are connecting from a location marked as trusted network.
In the Azure portal, browse to Azure Active Directory > Conditional Access
Select New policy
In Name, Enter a Name for this policy. For example, Combined Security Info Registration on Trusted Networks
Under Assignments, click Users and groups, and select the users and groups you want this policy to apply to
Users must be enabled for the combined registration preview.
Under Cloud apps or actions, select User actions, check Register security information (preview)
Under Conditions > Locations
- Configure Yes
- Include Any location
- Exclude All trusted locations
- Click Done on the Locations blade
- Click Done on the Conditions blade
Under Access controls > Grant
- Click Block access
- Then click Select
Set Enable policy to On
Then click Create