SSPR
Posted by ancient-Egyptian@reddit | sysadmin | View on Reddit | 19 comments
We are thinking of rolling out SSPR this summer to our company. Have around 10k users. Im sort of afraid of allowing my users to reset their passwords from non managed devices? Alot of our users have authenticator app on personal devices which are registered but not firm managed. Maybe there is some configuration whereby users can approve MFA on their registered device but only reset password from a firm managed intune compliant device?
Lancegoodheart@reddit
The default SSPR capability in Entra has these limitations where your users can reset passwords from non managed devices. An alternative option would be to go for an on-premise SSPR (Something like Secureden SSPR) (In this case - the capability of resetting passwords from a URL would be restricted to the network). Attackers can’t register their own device unless they have access to the network and also know the domain user’s password to register their device..
Also enable multiple authentication methods to be used before the user can reset, allow admin to approve in case the user’s can’t access the auth methods. Disable TOTP Authenticators and using other auth methods that cannot be spoofed by the attacker.
BuffaloRedshark@reddit
we had it for a while. our cyber security department freaked out and made it go away
MissionSpecialist@reddit
I hope for their sake that the alternative isn't a bottom-dollar helpdesk that doesn't even bother to authenticate the user half the time, even when the caller claims to be a C-level employee...
NoDowt_Jay@reddit
Interested to see what replies come up here. We’ve only recently enabled password writeback & security we’re strict in requiring us to configure CA policy to only allow Entra password change from managed devices.
The trouble with this comes when you realise the CA action “register security info” covers both password change & MFA registration…
You can get personal phones setup for MS authenticator via mysignins on managed devices & scanning the QR code on personal device… but this doesn’t allow you to setup passwordless auth.
We have not enabled SSPR yet (and might not), however from my initial investigations, that workflow doesn’t even hit CA policies…
MissionSpecialist@reddit
We're in the same configuration with SSPR enabled, and it works fine.
Initially required compliant devices for "register security info" to prevent attackers from registering their own MFA method after a user cheerfully gave them his creds and approved the MFA push notification.
That obviously predates the move to number-matching which should make that scenario far less likely, but we haven't had any need to reverse the policy yet.
That said, we're just now getting into Autopilot and Entra-joined devices, so perhaps there's a pain point in this scenario...
alraffa218@reddit
DM'ed you !! Can you help you out if I get more context or details.
AddMoreLimes@reddit
You can require multiple factors for the password reset, such as using Authenticator and confirming the pre-registered mobile number and getting a call/text for a second factor.
We put QR stickers on new laptops and around the office to direct people to the reset website.The reduction in helpdesk calls is phenomenal once everyone is familiar with it. The first year I could type the short-code URL blindfolded, but now it's "socialized" so anyone can "tap the sign" if someone needs a reset.
ancient-Egyptian@reddit (OP)
And do you lock this down to certain managed devices or any device?
AddMoreLimes@reddit
Authenticator can be on BYOD, but it has to be pre-registered and meet requirements for being up-to-date etc.
There are many other levels required to actually access most resources, so actually unlocking the user's password doesn't get you access to anything besides a dumb terminal at this point.
gixxer-kid@reddit
What’s the fear?
When you enable SSPR you also choose your auth method, so users have to satisfy MFA.
What you should consider before this, is setting a CA policy where users can only register security methods on hybrid or Entra joined, compliant devices.
ancient-Egyptian@reddit (OP)
My fear would be an attacker would be able to register a device and then be able to reset the password from that registered device.
gixxer-kid@reddit
Do you have any controls around device registration?
Not being funny but it sounds like you’ve got quite a bit of pre-req work to do first.
If I was you I’d check device and security info registration and then use a pilot group to test SSPR thoroughly.
Think about how you’re expecting users to reset their passwords. From a managers machine? Is that always viable? At home? Etc etc
disposeable1200@reddit
Turn off device registration then?
You still need MFA to do the reset
I don't think you understand the SSPR controls
AppIdentityGuy@reddit
The SSPR flow diesnt touch any data. I don't think locking it to a managed device does anything to increase security.Initial MFA registration, which in the modern combined securiry registration combines both SSPR and MFA methods must absolutely be done from a trusted location or trusted device.
0xmerp@reddit
If the user is locked out of their Entra account then wouldn’t they also be locked out of their office laptop lol
ancient-Egyptian@reddit (OP)
If you have authenticator on a personal device you can unlock it from there after a password reset
0xmerp@reddit
Ok but you still need to do the password reset itself somehow right? If the SSPR only works from a managed device then that means the user can only do SSPR if they can still log into their work computer. Which is not necessarily true
gixxer-kid@reddit
Not necessarily, no.
0xmerp@reddit
Probably should’ve added “usually”