One part of the Microsoft 365 ecosystem that has always left a bad taste in my mouth is the initial onboarding and the experience the user has. Not the setup in the admin center or the seemingly endless stream of last minute ‘user starts tomorrow’ requests but the experience the end user has the very first time they sign in.
Between initial password changes, multi-factor authentication registration and self-service password reset setup, users are poked and prodded for what seems like every bit of security information they can provide. However, this dilemma appears to be coming to an end!
Officially the feature is still in preview (and we all know how that went with Baseline Policies) but is given the glamourous name of Combined Security Information Registration. It is Microsoft’s attempt to streamline the initial onboarding process, consolidating both the MFA and SSPR setup into a simple two step process.
It’s ‘Opt In’
To get started with the feature, head to the Azure Active Directory portal, to User Settings and select Manage user feature settings at the very bottom.
The feature can be enabled for select users such as a pilot group or rolled out across the tenant for all. You should also make sure that this same scope has self service password reset enabled, accessed under Password Reset in the AzureAD portal.
Earlier I joked about it being a preview feature and how that ended for Security Defaults however it’s important to recognise that its final form may be different if it moves to general availability. This could have impacts on and training material or processes you create.
The end user experience
When a new user logs in for the first time, whether that’s directly to the web portal or through a device or application sign in, they (should) be prompted to change their password before they are prompted for more information.
Organisations using Security Defaults (the replacement for Baseline Policies) will be given the option to Skip for now while those using Conditional Access policies to enforce MFA won’t have that option.
Selecting Next will direct the users to the new setup experience, first prompting for them to download the Microsoft Authenticator app for their smartphone then adding a backup phone number. If users or organisations opt to use a 3rd party authenticator app, that is also supported.
Once the user completes both registration steps, it’s all done, that’s it! By default, they’ll receive authentication prompts using the authenticator app however this is customizable.
Not only can users change their preferred sign-in method but they can monitor their sign-in activity, manage their devices, authentication methods, view privacy statements and more from the new end user experience available here: https://aka.ms/mysecurityinfo
This is something that has been long overdue and I believe will make the onboarding process even simpler. As for those organisations who haven’t rolled out self-service password reset or the all important multi-factor authentication, this new process will be of great benefit in simplifying the deployment process.