News

Azure AD Users Get MFA and Password Reset Registration

• By Kurt Mackie
• 04/16/2020

A new Azure Active Directory registration process became generally available (GA) this week, adding multifactor authentication (MFA) and self-service password registration.

The new combined registration process is a key part of Microsoft's emphasis on enabling MFA use, according to Alex Weinert, director of identity security at Microsoft. "I am incredibly pleased about this -- a huge part of our work to improve our creds management experience for end users and admins, and a core part of our MFA everywhere and passwordless strategies," Weinert stated in a Twitter post.

The feature had been at the preview stage since February of last year. Later, in May, Microsoft added conditional access protections to the combined registration experience. Previously, end users had to separately register to use these two security features, according to a Microsoft "Overview" document.

End User Setup Process
Essentially, end users with mobile devices, and perhaps working remotely, can more easily set up the MFA and self-service password reset security features using either the Microsoft Authenticator App or the My Profile site (https://myprofile.microsoft.com). When logging into the app or the portal, end users will get prompted to go through the "Keep your account secure wizard," according to a Microsoft "Setup" document, which describes the end user workflow.

The setup of MFA and self-service password reset by end users involves using the wizard with a work or school Microsoft account. The secondary verification methods that can be chosen for the registration process include using the Authenticator App, responses to text messages or phone calls, a security key, an e-mail account or by answering security questions, according to the Setup document. However, the last two methods, e-mail and security questions, just enable verification for the self-service password reset feature, not MFA.

The security keys are physical objects, such as a card, dongle or thumb drive. The keys can use FAST Identity Online 2.0 (FIDO2) identity verification technology, apparently. However, Microsoft had described FIDO2 use with Azure AD as being still at the preview stage back in July.

The use of conditional access with this combined registration process is also part of end user experience and is also at the GA stage. While licensing wasn't described in this week's GA announcement, Microsoft had indicated back in May that the combined registration approach was likely going to require an "Azure AD Premium P1 subscription."

Even though this new combined registration process for end users is at the GA stage, it's not automatically getting rolled out to tenancies. IT pros with "administrator" credentials have to enable it first using the Azure Portal. Microsoft's rationale is that "we want to give you the control over when you update your end user experiences."

The GA rollout of the combined MFA and self-service password reset registration process doesn't apply to government subscribers, who don't yet have access to this feature, according to the "Overview" document.

Azure AD B2B News
In other Azure AD news, Microsoft this week described optimal approaches for collaborating with partners using it Azure AD B2B (Business-to-Business) identity and access control service.

The announcement also explained that Microsoft is previewing a new capability that will let organizations convert existing guest accounts into Azure AD B2B accounts, which will keep intact "the user's ID, user principal name, group membership and app assignment." This capability will be available to tenancies "over the next couple weeks."

In November, Microsoft had announced it was possible to use Google IDs with the Azure AD B2B service. There's also an invite process whereby invitees get sent a PIN via e-mail that lets them access resources.