0

We would like to use SSPR (which has been implemented and tested already in our hybrid environment, AAD/on-prem AD) but we are facing an issue with the recovery options.

We can't use phones so we have to go for the email address.

We want to use an alternate email from the same domain, for the people to be able to reset their password, but mysignins.microsoft.com/security-info won't let us do that. I can understand that Microsoft has concerns about using an email from the same domain, but they are not blocking the alias, such as my_mail@*.onmicrosoft.com...

Bottom line is: is there a proper way for us to be able to use a recovery email that belongs to the same domain, without having to use an alias? Don't want to start using an option that could break in the future. Here's the warning message

Any hints? :)

Thank you

  • Do people in your domain normally have multiple email addresses with unique passwords? That sounds highly unusual to me. Remember that the point of this is to allow self-service password resets. – Michael Hampton Nov 08 '20 at 05:51
  • They only have one email address, but we would like to delegate the reset feature to someone else. I know it's a bit confusing, but we work in a very complex environment. The idea would be to use a shared mailbox. The SSPR recovery method would be to send an email to that shared mailbox. It would be accessible by admins, so that they can reset the password of a user if required. –  Nov 08 '20 at 09:58
  • That seems to be completely the opposite of self-service though. – Michael Hampton Nov 08 '20 at 21:51
  • Indeed, we are trying to make it work for us, because we don't have any other option at the moment. But I agree it wasn't designed to do what we are asking for. Our Azure Tenant is handled by a 3rd party company, making things more complicated than they should be. But still, I don't understand why MS is blocking mail addresses from the same domain. The mail that you're going to use to recover your account is your personal choice. IMHO. Anyway, thanks for your answers, it helps to know that other people wouldn't be willing to do things that way. Cheers :) –  Nov 09 '20 at 08:28

1 Answers1

0

Haven't tested this, but try to use an alternative email address using this, you will need to play with Graph though: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-authenticationdata#what-happens-when-a-user-registers

I don't see the limitation in using an email address for the recovery beside saying "This email address can't be your work or school email": https://docs.microsoft.com/en-us/azure/active-directory/user-help/security-info-setup-email

If the above does not work, I'd suggest to either open a support ticket or raise your concern in the Azure Feedback Forums: https://feedback.azure.com/forums/169401-azure-active-directory/category/166251-self-service-password-reset

Noor Khaldi
  • 3,829
  • 3
  • 18
  • 28