I worked with a customer recently who had a lot of global users who were not always on their corporate network. They decided to implement Azure AD MFA, and requested that everyone should register their security information to be able to use MFA.
This is did a certain security risk in that they could not restrict where those user registrations were coming from. What is someone else in another country tried to register for MFA before they did?
Well now, we can restrict those registrations to only coming from our corporate network, or networks we know about.
To do this, we go to Azure AD https://aad.portal.azure.com and click on Conditional Access under Security
Create a new Conditional Access policy;
Give the policy a name, like Azure MFA Registration
Click on Cloud Apps or Actions and then toggle to User Actions, tick on Register Security Information.
Skip down to Conditions and select Location
Toggle Configure to Yes.
On the Include tab select All Locations
On the Exclude tab select Trusted Locations
What this will do is include any location that is not in your Trusted Locations (you will need to have defined that previously)
Click Done twice
We then scroll down to Access Controls, click on Grant and then choose Block
Click on Done
We then just need to toggle Enable Policy to On. Once that is completed you should be able to click Create
With this deployed, any users who need to register for Azure MFA or Self Service Password Reset must be on a network location that you have defined in Trusted Networks, which can be done by adding them to Named Locations and marking them as Trusted.