none
How to exclude a subset of users from requiring authentication info when first signing in

    Question

  • In my Azure AD tenant, I currently have it configured so that users logging in for the first time must register at least one authentication method (e.g. an alternate email, a phone number). This is useful for MFA and self-service password reset (SSPR) - screenshot here.

    I want to have several non-interactive service accounts that will not be configured for either MFA or for SSPR. Therefore, these non-interactive service accounts do not need alternate authentication methods. However, under my current setting, these service accounts are prompted to enter alternate authentication methods on first login:

    • First with the "More Info Required" screen (screenshot), which you cannot cancel out of
    • And then with the "don't lose access to your account!" screen (screenshot), which actually does allow for the user to cancel the operation

    This is extra inconvenient because, when adding an email, email verification is required, which doesn't allow us to do this programmatically (screenshot).

    If I do just click "Cancel" on the "don't lose access to your account!" screen, I can simply proceed to sign-in without inputting alternate authentication methods (screenshot).

    So the question is: how can I exclude a certain subset of users (e.g. non-interactive service accounts) from requiring alternate authentication info when first signing in?


    Wednesday, May 22, 2019 1:40 PM

Answers

  • Hi Frank,

    Thank you for your answer. The feedback link that you posted relates to MFA, while my issue has to do with alternate authentication info *for self-service password reset (SSPR)*. MFA isn't in the picture in m scenario (i.e. not enforced or configured in Azure AD Conditional Access or in Azure AD Identity Protection).

    I did however find a solution to this problem. Under Password Reset -> Properties, we can select to include only a subset of groups for SSPR. This keeps non-included groups from being requested alternate authentication info. Screenshot:

    https://carlostransitfiles.blob.core.windows.net/sharefiles/password-reset-solution.png

    However, the problem is that this feature is only an Include list, and does not contain an Exclude list. This means that if I have 100 user accounts, and I only want to exclude 2 accounts from SSPR and from requiring alternate authentication info, I would have to create and maintain a group with those 98 accounts to explicitly include. I could not simply select the 2 accounts to exclude.


    Thursday, May 23, 2019 2:05 PM

All replies