Category: azure windowsazuread
T_N_V on Mon, 07 Nov 2016 18:59:10
With SSPR enabled for everyone, is there a way to skip SSPR registration for users without the use of an AAD Group?
For example, are there any additional attributes an Admin can set, so that a user can already be registered and verified for SSPR without having to set and verify their numbers themselves?
Philippe Signoret on Tue, 08 Nov 2016 08:26:28
It's not clear if you want to skip registration (and thus disable SSPR for the user, which is what I gathered from the first question), or if you want to register the user for SSPR without that user's interaction.
In either case, no, you can't.
If you want a user to not be allowed to do self-serve password reset, then you need to put them in a group, and use that group in the "Except" field.
If you want to do SSPR registration on behalf of a user, this is not supported today. However, you can pre-fill some of the fields so that the registration experience is more streamlined. (It depends on which authentication methods you've configured, but here is the list with all the data that may be used: https://azure.microsoft.com/en-us/documentation/articles/active-directory-passwords-learn-more/#what-data-is-used-by-password-reset.)
The main reason the registration is required is because we need to confirm that the user actually does have access to the mobile phone (for SMS/call/app), or to the alternate email address (for authentication email).