How to use a trusted location for MFA and Self Service Password Reset

It has been a long time since my last blogpost. This week we have configured something new and very useful. Self Service Password Reset. Many companies have a integrated process on how to reset the passwords for there end users. But why use a process that claims a lot of tickets and asks a lot of patients from the end user perspective. In this article i show you how you can block Multi factor and Self service password reset, from untrusted locations using Azure AD Conditional Access. This setting is also one of the common policies that Microsoft recommends when using conditional access within Azure AD.

When you want to enable MultiFactor Authentication and Self Service Password Reset for your users, they need to register first. This can be a issue for some users. In my experience it is important that users keep using the Azure authenticator app, sometimes it happens that users remove this app. In this case it is necessary to contact IT support to ask for a MFA reset.

The above can be a blocker for some users but from IT perspective this is great because we can control this user action with Conditional Access. This gives you the flexibility to limit this to only trusted locations, or even trusted (hybrid ad joined) devices if you want. This means that a user can only use MFA and or SSPR from one of the selected and configured locations.

Lets start configuring Self Service Password Reset

Go to Azure Active DirectoryUser Settings and go to Manage user feature preview settings. Next, select a specific user group, or enable this for all your users.

No alt text provided for this image

Next up is to create a Conditional Access policy with the following settings:

  1. Enter a name for this policy. something like, Info Registration on Trusted Networks or anything related to you company naming policy.
  2. Under Assignments, click Users and groups, and select the users and groups you want this policy to apply to.
  3. Under Cloud apps or actions, select User actions, check Register security information (preview).

4. The next step we will find under Conditions > Locations.

  • Configure Yes. Include Any location and exclude All trusted locations

5. After this we go to Access controls > Grant.

  • Click Block access. Then click Select.

With this configuration we block all access from all locations except the once you have configured within you trusted locations.

No alt text provided for this image

6. The last step is to enable the policy, we can do this to set policy to On. Then click Save. and the policy will be activated directly.

Instead of Cloud apps, you can select User Actions

No alt text provided for this image

Before we go to the user Experience you can also check out this blog to optimize the security of user accounts even further.

End-user experience

From an end-user perspective, you would go to either or When users do this from an untrusted location, they will not have access to one of these pages.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s