Conditional Access: Require trusted location for MFA registration

Securing when and how users register for Azure Multi-Factor Authentication and self-service password reset is now possible with user actions in Conditional Access policy. This preview feature is available to organizations who have enabled the combined registration preview. This functionality may be enabled in organizations where they want to use conditions like trusted network location to restrict access to register for Azure Multi-Factor Authentication and SSPR. For more information about creating trusted locations in Conditional Access, see the article What is the location condition in Azure Active Directory Conditional Access?

Create a policy to require registration from a trusted location

The following policy applies to all selected users, who attempt to register using the combined registration experience, and blocks access unless they are connecting from a location marked as trusted network.

  1. In the Azure portal, browse to Azure Active Directory > Security > Conditional Access.

  2. Select New policy.

  3. In Name, Enter a Name for this policy. For example, Combined Security Info Registration on Trusted Networks.

  4. Under Assignments, click Users and groups, and select the users and groups you want this policy to apply to.


    Users must be enabled for the combined registration preview.

  5. Under Cloud apps or actions, select User actions, check Register security information (preview).

  6. Under Conditions > Locations.

    1. Configure Yes.
    2. Include Any location.
    3. Exclude All trusted locations.
    4. Click Done on the Locations blade.
    5. Click Done on the Conditions blade.
  7. Under Access controls > Grant.

    1. Click Block access.
    2. Then click Select.
  8. Set Enable policy to On.

  9. Then click Save.

Next steps

Conditional Access common policies

Determine impact using Conditional Access report-only mode

Simulate sign in behavior using the Conditional Access What If tool