Admin users are able to register third party software tokens due to SSPR authorization policy.

[joibarr]

Specifications:

• Only impacting admin users
• Combined registration migration is completed.

This document needs to clarify that even if the third party software token policy is disabled in the new authentication methods portal, because the SSPR Administrator policy enable by default all the methods for the admin users, these admin users are able to register third party software token apps that can be used to complete SSPR.

I was able to register a Google Authenticator even though the policy is disabled.

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: b1765376-03c9-829a-9e42-e72cc8a0daea
• Version Independent ID: 684c7d7c-09f4-8170-6f7a-132b2d79e1df
• Content: Self-service password reset policies - Microsoft Entra ID
• Content Source: docs/identity/authentication/concept-sspr-policy.md
• Service: entra-id
• Sub-service: authentication
• GitHub Login: @Justinha
• Microsoft Alias: justinha

[PesalaPavan]

@joibarr
Thanks for your feedback! We will investigate and update as appropriate.

[PesalaPavan]

@joibarr
Thanks for your feedback! I've assigned this issue to the author who will investigate and update as appropriate.

[Justinha]

@joibarr sorry for delay and thanks for the suggestion. I added this to the topic. #please-close