This is a little something on the new option with Conditional Access, where you can specify restrictions for registering the end users security information used with Multi-Factor Authentication.
This is a nifty addition, enabling you to control when and where the security information can be added or changed, making sure it’s not an attacker who’s messing with the details.
In this post i’m trying to put this into the context of enrolling a new device, in this example an iOS device, where MFA is required for enrollment.
If the enrollment is being done by a user who’s without security information (imagine a newly hired employee), the user is initially prompted to register the security information. Now also imagine this being done by an attacker instead. Not good. Therefore it’s desirable to control from where the registering of the security information can be done. Curious? Read on 🙂