Using filters to restrict security information registration from trusted devices

It has been a while since Microsoft has released the combined registration (security) feature that helps users to register for both MFA and SSPR can register once if the methods in the Azure AD Multi-Factor Authentication and SSPR policies are enabled. For more information about Combined security information registration please read https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-registration-mfa-sspr-combined

One of the very common challenges that organizations had was, how can I restrict the security registration process within the trusted location and secure it from bad actors.

To enforce the security registration process from a trusted location only and block from any other, we can make use of the conditional access policy with grant access block, excluding all trusted locations. Follow the steps outlined in the Microsoft article here. Due to COVID and new variants coming up, the workforce is no longer working from a trusted location (office premises). So what other options do we have for a secure registration process?

Last year, Microsoft has announced the GA of filters for devices in Conditional Access policies which opens up lot more possibilities to restrict access to your resources.

In this blog post, we will see, how can we make use of the filters in Conditional Access policies to restrict the security information registration from trusted devices ONLY. The trusted devices can be of any device identity such as Hybrid Azure AD joined, Azure AD joined, or Azure AD registration. If your org allows only corporate-owned but not BYOD, we can do so as well with filters.

Login to Azure AD portal, click on security

Click on Conditional Access, Create new Policy

Create new Conditional Access Policy

Name: Restrict Security Information registration - trusted device only

select Users or workload identities, include users or groups based on your requirement. For POC, you can limit this to test group or couple of users before applying this across the ORG.

Click on Cloud apps or actions, select the drop down, choose user actions, enable Register security information

Register security information in conditional Access

Click on conditions, device platform, configure=Yes, include any device

Device platform

Click on Locations, configure=Yes, and choose any Location

Click on Client Apps, Configure=Yes, choose browser and mobile aps and desktop clients

Click on filters, Configure Yes and click on Exclude filtered devices from Policy, in the property, you see lot of options.

For trusted devices, the property name is TrustType, follow the settings as per below.

Rule Syntax: device.trustType -eq "ServerAD" -or device.isCompliant -eq True

Access Controls, Grant, select Block

Block Access

Enable policy, choose ON, click on Create.

This policy will now enforce the security registration only from the devices that are hybrid Azure AD joined or Azure AD joined.

For more information on supported device properties in Conditional Access policies using filters, please refer here

Leave a Reply