r/entra

Looking to add a CA to block registering security info unless in a trusted location but have to account for remote workforce. These are the trouble areas I am thinking about:

1. Onboarding - Using Autopilot w/Entra Join. First time sign in is with a non-TAP initial password set to require change at first sign in. After sign in at OOBE, MFA registration begins and user sets up Authenticator

2. Existing user gets a new phone and no longer has original phone, thus has no way to do MFA to register the new device

For onboarding we can either temporarily exclude the user from the CA until MFA registration is completed in OOBE or have them do first sign in with a TAP.

For existing users where they got a new phone but no longer have the old, we have a SASE solution to get remote users access to on-prem hosted resource and I have SASE IP's listed as a trusted location, thus excluding this CA if connected to SASE solution. The catch is, MFA is required to connect to SASE network. So, if the user happens to already be connected, they can go to My Signins to add their new phone. However, if they are not connected, the only option will be to give them a TAP, which would allow them to get add a new device in Security Info or do MFA registration all over again (if require re-register MFA registration is triggered on their user).

Is the above accurate? Am I missing any options or better ways to deal with these?

Microsoft's Zero Trust Workshop is something I've always loved walking organisations through since it's inception. Now, it's looks to be completely available online through your browser >

Zero Trust is such a buzzword.. if you want to help your organisation deploy controls in a practical and orderly way, this is worth checking out!

^{Note: I am not affiliated with Microsoft in any way, I saw this being shared on X!}