About Combined security information registration

Question

Dear Office365 Experts,

We have Office365 environment and local AD. We use ADConnect for sync'ing objects to Office365. We use a third party tool for SSPR. But soon ago, Combined security information registration came and we think about using it..

https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-registration-mfa-sspr-combined

I have some questions please.

1- This means SSPR and MFA uses same attribute for phone numbers? Is this attribute visible in address books and contact cards? Hope it is not because our company rules are against it for GDPR.

2- We using Office365 MFA already. Do we need to enable SSPR too before using this? Or it does enables SSPR automatically too?

3- We need to enable password writeback in ADConnect before?

4- Can we enable Combined security information registration for some users only? If we enable password writeback and enable Combined security information registration for some users, will it be problem for other users?

Thank you very much..

Answer 1

Hi @Mehmet Cüneyt Durgun , Please find the response inline.

1- This means SSPR and MFA uses same attribute for phone numbers? Is this attribute visible in address books and contact cards? Hope it is not because our company rules are against it for GDPR.

Yes, SSPR and MFA uses same attribute for MFA. This information is not stored in TelephoneNumber or Mobile attribute and it is protected and not visible in address books and contact cards. In addition to that, you may use any of below methods for SSPR as well:

2- We using Office365 MFA already. Do we need to enable SSPR too before using this? Or it does enables SSPR automatically too?

Enabling MFA doesn't automatically enable SSPR. To enable SSPR, you would need to navigate to Azure portal > Azure Active Directory > Password reset > Properties > select All or Selected users or groups.

3- We need to enable password writeback in ADConnect before?

Yes, if you are synchronizing identities from On-prem AD, you would need to enable password writeback for SSPR to work.

4- Can we enable Combined security information registration for some users only? If we enable password writeback and enable Combined security information registration for some users, will it be problem for other users?

To enable Combined security information registration for some users, navigate to Azure portal > Azure Active Directory > User settings > Click on "Manage user feature preview settings" link > Under "Users can use the combined security information registration experience", select group for which you would like to enable Combined sec info registration. This will not cause any problem for other users.

Note: Make sure you meet the Licensing requirements for Azure Active Directory self-service password reset.

-----------------------------------------------------------------------------------------------------------

Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.