MFA only allow initial setup from inside corporate network.
Please allow configuration of initial MFA setup for users so that they can only provision MFA from within our corporate network. Also the ability to pre-provision and lock-down their MFA settings (cell phones etc). We need to be able to make sure that not just anyone from outside can do the initial provisioning of a users MFA setup. In case a users password is compromised.
Martin Lapos commented
There is a preview available in Conditional Access policy:
- Go to "Cloud Apps or actions"
- Select "User actions"
- Tick the "Register security information (Preview)" checkbox
- Configure the "Conditions" -> "Locations" as desired
- Select the proper Grant/Block Access control
Olli Dx commented
This feature is well-needed because our security will not accept the MFA Authentificator App without it
As mentioned first by DanielK8507, if the "proofup" page was considered an app on its own, we could leverage conditional access to restricted that to trusted locations.
They need identity vetting implemented for those attributes. To include notifications to both current and previous contact information (e.g. email, phone, mailing address). We easily red teamed this were I worked. Essentially doing the same thing as the posters said. When XBox games have more security controks than a users account and their MFA, that's a problem.
Same here, it is really needed to pre configure users initial setup so that user can't change the information in the first step.
Benoit Machiavello commented
Same thing here. Currently there is no security with the MFA in Azure.
'm stealing the CEO's password.
I just have to buy a prepaid cell phone in cash, I put this number on and I can do whatever I want.
We have to be able to lock the method allowed for MFA, and lock the number allowed for example with the mobile phone in AD
Is there any update on this has anyone else found a solution?
Shawn Pederson commented
Yep this is needed.
Please consider doing this. We are hesitant to use Azure MFA until we can have some control over where/how users will register their devices. It would be good if the MFA registration page was considered an 'App' that we could apply Conditional Access policies to.