real-world SSPR authentication small enterprise

Posted by itmgr2024@reddit | sysadmin | View on Reddit | 13 comments

About 500 active users. Office 365 E3, security defaults, no entra premium, no conditional access, no intune. Want to implement SSPR. We are not in a high risk or highly regulated industry. Is Microsoft Authenticator as the only authentication realistically acceptable here? I have read some and opinions seem to be mixed. Yes I understand if is very unlikely that someone would steal a user’s unlocked phone, or that the phone would not have PIN and/or biometrics enabled. These are personal cell phones and I don’t believe I have a way to enforce that (without additional software). I was thinking authenticator + alternate email, then I think about the number of people who will have lost access to the account. SMS seems a bit pointless if they already have the phone. For execs/finance/hr i am thinking not use SSPR at all, or give them hard tokens. What do you recommend? Thanks

Reply to Post

13 Comments

[-]

khaos4k@reddit

You can require that the user unlocks Microsoft Authenticator with biometrics using Intune MAM.

[-]

itmgr2024@reddit (OP)

We don’t have intune

[-]

khaos4k@reddit

Ah sorry. Mixed up O365 and M365. Not for the first time and probably not the last.

[-]

potable_plethora@reddit

honestly for 500 users without the premium bells and whistles, you're overthinking this. authenticator + alternate email is fine - most people can figure out their backup email situation when they have to. the folks who lose access to both are gonna be calling the helpdesk anyway, sspr or not. sms is actually useful as a backup method even if they have the phone because people break/lose/factory reset phones all the time. sure it's not the most secure but for your threat model it's probably fine. i've seen way too many users get locked out because there phone died and they never set up the alternate email properly. for the c-suite definitely skip sspr and just handle those manually - they're gonna call you anyway the moment something doesn't work exactly how they expect it to.

[-]

itmgr2024@reddit (OP)

thanks. so you recommend alternate email over SMS, or I should allow either one?

[-]

AppIdentityGuy@reddit

O365 E3 contains conditional access. I would certainly move away from security defaults. For your senior execs I would look at physical passkeys like Yubikeys and move away from passwords entirely.

[-]

itmgr2024@reddit (OP)

No it doesn’t. M365 does O365 doesn’t.

[-]

AppIdentityGuy@reddit

https://www.google.com/search?q=what+entra+licenses+are+included+with+O365+e3&client=ms-android-samsung-ss&hs=gYHp&sca_esv=dc45e1216515a3e4&sxsrf=ANbL-n7Y75HtZcE71p6vEh_F1JEIzG6Kow%3A1770098819921&ei=g5CBaabzN5qdhbIP19-7sAU&oq=what+entra+licenses+are+included+with+O365+e3&gs_lp=EhNtb2JpbGUtZ3dzLXdpei1zZXJwIi13aGF0IGVudHJhIGxpY2Vuc2VzIGFyZSBpbmNsdWRlZCB3aXRoIE8zNjUgZTMyCBAAGKIEGIkFMggQABiABBiiBDIIEAAYogQYiQUyCBAAGIAEGKIEMggQABiiBBiJBUi2YFCEE1iUVnAIeACQAQCYAdoDoAGYH6oBCTEuMC45LjMuMbgBA8gBAPgBAZgCC6ACqQfCAgoQABiwAxjWBBhHwgIFEAAY7wXCAgcQIxiwAhgnmAMAiAYBkAYIkgcHOC4wLjIuMaAH8lqyBwUyLTIuMbgH_AbCBwcwLjEuNS41yAdBgAgA&sclient=mobile-gws-wiz-serp#lfId=ChxjMe

[-]

altodor@reddit

https://m365maps.com/comparing.htm#Microsoft-365-E3/Office-365-E3 Conditional access is EMS E3 and in M365 E3, but not O365 E3. E3 isn't universally E3.

[-]

itmgr2024@reddit (OP)

Office 365 E3 does not include premium entra.

[-]

Reptull_J@reddit

Microsoft Authenticator only isn’t possible, unless something recently changed https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-howitworks#authentication-methods You have o365 and not m365 licenses?

[-]

itmgr2024@reddit (OP)

it says that applies “if an organization hasn't migrated to the centralized Authentication methods policy”

[-]

itmgr2024@reddit (OP)

Yes that’s right. Office 365 E3