We would like to use SSPR (which has been implemented and tested already in our hybrid environment, AAD/on-prem AD) but we are facing an issue with the recovery options.
We can't use phones so we have to go for the email address.
We want to use an alternate email from the same domain, for the people to be able to reset their password, but mysignins.microsoft.com/security-info won't let us do that. I can understand that Microsoft has concerns about using an email from the same domain, but they are not blocking the alias, such as my_mail@*.onmicrosoft.com...
Bottom line is: is there a proper way for us to be able to use a recovery email that belongs to the same domain, without having to use an alias? Don't want to start using an option that could break in the future. Here's the warning message
Any hints? :)
Thank you
Haven't tested this, but try to use an alternative email address using this, you will need to play with Graph though: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-authenticationdata#what-happens-when-a-user-registers
I don't see the limitation in using an email address for the recovery beside saying "This email address can't be your work or school email": https://docs.microsoft.com/en-us/azure/active-directory/user-help/security-info-setup-email
If the above does not work, I'd suggest to either open a support ticket or raise your concern in the Azure Feedback Forums: https://feedback.azure.com/forums/169401-azure-active-directory/category/166251-self-service-password-reset