Enable combined security information registration (preview)

Before enabling the new experience, review the article Combined security information registration (preview) to ensure you understand the functionality and effects of this feature.

Combined security information registration enhanced experience

Combined security information registration for Azure Multi-Factor Authentication and Azure Active Directory (Azure AD) self-service password reset is a public preview feature of Azure AD. For more information about previews, see Supplemental Terms of Use for Microsoft Azure Previews.

Note

Organizations who enabled the previous preview for registering and managing security info should complete the steps below to enable the enhanced preview experience. For organizations who do not make the switch, on October 8, 2019, Microsoft will switch users of the previous preview for registering and managing security info to the enhanced experience.

If you have not enabled any version of the preview your organization will not be impacted.

Enable combined registration

Complete these steps to enable combined registration:

  1. Sign in to the Azure portal as a user administrator or global administrator.

  2. Go to Azure Active Directory > User settings > Manage settings for access panel preview features.

  3. Under Users can use preview features for registering and managing security info - refresh, choose to enable for a Selected group of users or for All users.

    Enable the combined security info preview experience for All users

Important

Starting in March 2019, the phone call options won't be available to Multi-Factor Authentication and SSPR users in free/trial Azure AD tenants. SMS messages are not affected by this change. The phone call options will still be available to users in paid Azure AD tenants.

Note

After you enable combined registration, users who register or confirm their phone number or mobile app through the new experience can use them for Multi-Factor Authentication and SSPR, if those methods are enabled in the Multi-Factor Authentication and SSPR policies. If you then disable this experience, users who go to the previous SSPR registration page at https://aka.ms/ssprsetup will be required to perform multi-factor authentication before they can access the page.

If you have configured the Site to Zone Assignment List in Internet Explorer, the following sites have to be in the same zone:

Conditional Access policies for combined registration

Securing when and how users register for Azure Multi-Factor Authentication and self-service password reset is now possible with user actions in Conditional Access policy. This preview feature is available to organizations who have enabled the combined registration preview. This functionality may be enabled in organizations where they want users to register for Azure Multi-Factor Authentication and SSPR from a central location such as a trusted network location during HR onboarding. For more information about creating trusted locations in Conditional Access, see the article What is the location condition in Azure Active Directory Conditional Access?

Create a policy to require registration from a trusted location

The following policy applies to all selected users, who attempt to register using the combined registration experience, and blocks access unless they are connecting from a location marked as trusted network.

Create a CA policy to control security info registration

  1. In the Azure portal, browse to Azure Active Directory > Conditional Access

  2. Select New policy

  3. In Name, Enter a Name for this policy. For example, Combined Security Info Registration on Trusted Networks

  4. Under Assignments, click Users and groups, and select the users and groups you want this policy to apply to

    Warning

    Users must be enabled for the combined registration preview.

  5. Under Cloud apps or actions, select User actions, check Register security information (preview)

  6. Under Conditions > Locations

    1. Configure Yes
    2. Include Any location
    3. Exclude All trusted locations
    4. Click Done on the Locations blade
    5. Click Done on the Conditions blade
  7. Under Access controls > Grant

    1. Click Block access
    2. Then click Select
  8. Set Enable policy to On

  9. Then click Create

Next steps

Force users to re-register authentication methods

Available methods for Multi-Factor Authentication and SSPR

Configure self-service password reset

Configure Azure Multi-Factor Authentication

Troubleshooting combined security info registration

What is the location condition in Azure Active Directory Conditional Access?