One of the glaring holes in the SSPR and MFA registration process was when bad actors that had compromised credentials could register for SSPR or MFA if the compromised account had not already registered.
One of my customers highlighted this to me and the way we overcame the vulnerability was to populate Active Directory with mobile numbers and through powershell force the authentication method to text message and not give an end user the choice.
Finally Microsoft have released a feature that can lock down the SSPR an MFA registration process to a corporate ip or ip ranges, the following slides show how we enable this in a conditional access policy.
- Select all users and exclude the tenant Office365 admin breakglass account.
- Select cloud apps or actions and select the ‘Register Security information (preview)’ option.
- In location select from any location
- Exclude all trusted locations
- In the controls section , Select ‘Grant Access’ and ‘Require multi-factor authentication.