🎯 Purpose
✅ Restrict MFA registration and security‑info updates so they can only be completed from a managed (compliant or domain‑joined) device.
➡️ This is a security‑hardening control preventing users from adding/changing authentication methods from untrusted or unmanaged devices.
👥 Who is affected
✅ Users: All users
🚫 Exclusions: One exception group (typically a break‑glass/admin group)
➡️ Every user must use a compliant or domain‑joined device to register or update MFA/security information.
☁️ What access is protected
✅ User action protected:
Security info registration
MFA setup
Adding/changing authentication methods
SSPR method registration
Auth method recovery updates
➡️ This does not protect an application — it protects the user action:
urn:user:registersecurityinfo
🔐 How this control is enforced
✅ Access is only granted if the device is:
Intune‑compliant, OR
Hybrid AD‑joined
➡️ Devices that are only Entra‑Joined (AADJ) must still meet compliance to be allowed.
Password‑only or unmanaged‑device attempts are blocked from performing MFA/security info updates.
⚙️ What this policy does NOT enforce
🚫 MFA for all sign‑ins
🚫 Device compliance for application access
🚫 Location restrictions
🚫 Platform restrictions
🚫 Terms of Use
🚫 Risk‑based conditions
➡️ This policy only controls the security info registration action and nothing else.
🟢 Policy status
⚠️ Enabled (Report‑Only)
➡️ Not enforcing yet — currently evaluating impact only.
📘 Practical Interpretation (Executive‑Friendly)
This Conditional Access policy ensures that:
✅ Every user
✅ Attempting to register or update MFA/security info
✅ Must be on a managed device (Intune‑compliant or hybrid‑joined)
This prevents attackers or malicious insiders from adding new authentication methods from untrusted devices, and forms part of a stronger identity‑protection baseline.